23542300x800000000000000031864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:40.434{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C568ABAE1AE073D61FFA5BF0DA213C5,SHA256=64936E302D44B1AEA0F0CD0344AB7A7A8375050F9FAE546857635E162354C041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.076{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DFF6AE6B47181C970A8A7427C87F37,SHA256=CAACA3237D41CC5FC9E317E3190C8CCBC6C30929213AB48303038FFDA92EC0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:41.450{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88616F34A18367E1DF3E9C245E28E948,SHA256=54F232B4E41C0D04A63B075CCCA42FAD8CF5479D393C0383A3AE6125E462C52D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:39.627{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64273-false10.0.1.12-8000- 23542300x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:41.091{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767324DD23807C9380CD6D4E7E6E3C6B,SHA256=3AB373C009E93F035672CEEAAB43E770693A2DF85845D7F7B6B1B3877443D317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:42.466{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169EC5283DCAD06B38557FEBA9726928,SHA256=67B994549192348BF2E135C7164E3979718D2A11FB853C724B1C465C6CC5AA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64274-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64274-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:42.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98EE9805A63709C79D98C8CD07C2F4,SHA256=0702DA5CD17A6C3E3EA2A8C8EF361933B764325F040F5E41753505268A11D159,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:40.015{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:43.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057FE951608A36C299590ED14F201963,SHA256=9C537938BAF6DA41DB8D7CB2F2F4EE77D178A390FC7D4EBB64AB8E381973CDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:43.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29872DE0616B9682CFC8AFBF20E780A1,SHA256=FCCBF60B48B44C37386E693EA5482D3165957E08E4BCB90B1F830705C8DD7CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:44.497{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8263FE741F1FBBECB4D0F839EE8F5DAF,SHA256=1CA4284305B4D30C744E07F255ADA7488C6E6CEB317D437B487C9FEE00689B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:44.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD94F1B7A8BF1375EB512B02F9E216A,SHA256=1F68FEFBD39D189384C632942C635881B96242DE68A76E07ACFD15AC2FABBEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:45.513{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1C0EB2A3ABE6056039539DE4D7EC8,SHA256=F53D0FE963EA1292CC8ECE1ABE42987B967D61B8D7129CE119C0AAB4B7EEE094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:45.204{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C86E6EA3542C3F646C1B67EA85D37E,SHA256=B870026B9B3D35DC6C686A285B5C485E2EEA8AA233523DBC67D64BDDFD96EC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:46.528{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78B0F3685B8928BD24F09F1FFBEFF53,SHA256=74796DA35F574A320E6E22D099F02F3989A0E377ECF9B76368B463132AC65FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.289{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC553D6A6BB68176CBBDEB72A7CB980,SHA256=87EB99F3F0B9F9936DFED2F36D996C1F7C6FBB0235046BA550DC69E8A9B73AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:47.544{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E7AEB00D9572AB2696B089CEDF36AE,SHA256=685F8F6DDF90FF862594D575B7955AC38B1A94F3E8E9AA18FC604B23EE230159,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:47.319{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE53DBFF431A20E581F9491FFBC0E8A9,SHA256=7E919CB38903C7B8CE09412E2C9E68411503C76EA00807E7DCE1478823C22965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:48.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68562BA8B2E8CD99D63BD1745FA84B4,SHA256=0CE0C156ECC9955987C0563E676F0AACD370A938E0E8A1F969F7751C0D89EB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.838{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64278-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.838{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64278-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.822{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64277-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.822{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64277-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.808{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64276-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.808{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64276-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.403{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B02E97255CFE73341C3C417E002EBDC,SHA256=A9E8813AE8446FE1276DEEAD1A1E6E0EED3AEA71723D341364525E72D92B2F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.403{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFCBD8B48F350D5450148ADB58CF475,SHA256=EE1F867FAA3F32AF1EE8981CAE765C39193C1BCB83F3D09B4FD1B3CC3AD90A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.329{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5654CF19CE5D74311A0F544DCCAB1BDD,SHA256=01A2E997CF817C5856AF43C6783CC46C5C48C13B78B2133409EE26AD61DD4517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:45.952{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:45.555{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64275-false10.0.1.12-8000- 23542300x800000000000000031875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:49.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D680218D77F8E0E21CF7294979B32E9,SHA256=4CD590A8C8A8DFB79FB21D60A34010123DC9B39EBA2FE872A56F1FED2DFA361C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:49.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F3F385CF9A3011E3001435FCCD7CB2,SHA256=FC3902B4C4378B172F01CD06505303576A1C3F904677EC338E7CF52E46574481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:50.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1626C738CDB0E59C450DF61BD63D3F1F,SHA256=B95DBE0734101C8114B62A70D2B8CA2397AC4618A4FAA4A6C4D67540F9F1A7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.386{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336D15231DB780EA2463CF25DBC1473C,SHA256=A3873E75F375FD84AC013DF543743DF6DF328E7238109372B6322C5E28E377DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:51.577{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932ECADCD3CE9B97DECA75B9C20D2E9,SHA256=AAED798DA1596F6C7A3C70B0B4F9C4B5AF43FBC0C914598FC13BD0426CBB7520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:51.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A94FE683D13E794175D0C6C4E0A8EF4,SHA256=0C08202F320D811E20FB16242C067D626039D89D783034A8356E8BFDCC9238CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:52.593{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613A4F78F8B4C5585BF29EB5E2E95CBE,SHA256=F73162A7A3369E1D04CC0741FE8BDA60E80118B931CD863AEEDC23DB4FAF7B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.450{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB952D53518A61F93DBD46C566A9F0D,SHA256=00A1D5E623FADB6BEE76D4BA5F29DDB5A99C832310D73830565882F656E46594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:53.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFAA7670D13F5F06F799923F66E1A20,SHA256=E4068B4FC6C56EF64EA43F921FFE641406D5111693C34B550CA067A810F453E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEB46C227DC2951800351B17291E7D4,SHA256=F71727C6D7EDE77CF943F8492C15C6989C9FA28348AEFF6E0CB08F5D7C97732D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B02E97255CFE73341C3C417E002EBDC,SHA256=A9E8813AE8446FE1276DEEAD1A1E6E0EED3AEA71723D341364525E72D92B2F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.468{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B543581CF798D6907AF223A504A4B4B,SHA256=4B97A92623A9B36BDE6F652532A5C85181D84E61508A9F517235407BD494D25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:51.970{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.000{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000031881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:54.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F8B762EC50395A96331DBA20E6E97A,SHA256=18847C3F6A7DFC78AC390AE25AA8D0743D8C5CEB63F1DE37E04BC932AF5C4668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:54.484{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACB01172D8F60E0494CAABC9C90CD3B,SHA256=13F24C693526D166497A788162D4224CF1F237C440616A09F8F96E108FB6F570,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.441{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64285-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.441{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64285-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.440{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64284-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.440{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64284-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.351{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64283-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.351{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64283-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64282-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64282-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64281-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.338{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64281-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.337{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64280-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.337{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64280-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:51.567{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64279-false10.0.1.12-8000- 23542300x800000000000000031882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:55.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1419D7FA4224C6E5F05516F1EAAB7674,SHA256=2BDB00F47E9EA05770B5B948C487471C2491042A2ADD7CC41330383C5050B156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.900{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.498{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D829DD29F8FEE5083CDD6E249F836C2A,SHA256=EFC72F8C5FDBA801E844C66BBA23350FA61C770D0E542FFDCD89ED9651ED5FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.383{82A15F94-57F3-6112-FA07-00000000E501}2968756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.231{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.444{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64286-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.444{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64286-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000031883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:56.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE35AB96AF2F30731A9F1E947B3A6A88,SHA256=ED976572F90F3F5596B97135CCF3E23D5BF5FEAE0574D04AC4B101D28F62A208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.584{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.514{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114EF722612260BEE0D6AD169B199811,SHA256=8344BD59F7DAFEBED47D56B3A12DC8DF027354EC184F3E6942F4D33EF1C6ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.248{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEB46C227DC2951800351B17291E7D4,SHA256=F71727C6D7EDE77CF943F8492C15C6989C9FA28348AEFF6E0CB08F5D7C97732D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:57.639{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648AEADB0590C8AACBAC363621895040,SHA256=4C938CD96609E41D2C7C8E9D0C3A6C37185531E8EE27F552B8510C531DBB709A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.948{82A15F94-57F5-6112-FE07-00000000E501}48205572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.784{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.598{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E366888337675B6E1CEAEA8B513ACC56,SHA256=C1356DD3D5CB5590DA4A69B2D481C0E31C81C7776BF96F80B3C7B3672CF0C10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.551{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80A65171532EFE1CED9E6CB2368BB11,SHA256=6A92FC5E50C12AD0CBDE8B675873F2EBF0AF6FCE019B6426F5F660B2E4D69DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.429{82A15F94-57F5-6112-FD07-00000000E501}65201044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.283{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.797{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D79D1F19F729AFDF3B56724493595F77,SHA256=2BC99F2EED5BD631BFD56A08ACB642C55CE9E879BA9E1AACB08E3ED23003B588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.613{82A15F94-57F6-6112-FF07-00000000E501}1084104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.566{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8015722E8228E21BEE5E997A588FAC17,SHA256=82A1F6F63E1F197631967F160FADCF8BEB1C5B0F7792B39EA524D1482A02AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:58.655{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA70D6C4AF99D4A0DE148A9372E547,SHA256=3D43B37E1B581E70C1F30064E7C7C500A5E5D6DF816D989B5CAE84073210302D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.467{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:57.954{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:59.671{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961C9ACF2A17F16302050FDD79D4020E,SHA256=B006B089060292314D2B1B4E683E9D5EE7CBD75A289F2E0F36EB2950BC56DCBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC6FC35C11D3EF8ABC864FCCECD3EC4,SHA256=E0D3699DEF824F9488C123C42F0696BE77B50C09BA7EC089278E440A394CA3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.148{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.145{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.144{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:00.686{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75FBDCA2386F2C2F3A63DE4B735A0F8,SHA256=EA9E1C94240B3DF1C4A4DE65EF66A3F1E121891ABA89AD51B8C3BD6DD82B2C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:00.645{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA6EAAC850B41432A9DA62190F9016F,SHA256=6A9BBD84C947AD8E3C50D8090BD9BFEEE5939E127DCE2385BA98D29C280206D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.501{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64287-false10.0.1.12-8000- 23542300x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:00.149{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BB040BFB6F98159B160B5F1CD61FA3,SHA256=7B2F2EF51026C4AB0FDD8B897CEE8CDCF04C47654A4711049497C5B48908D9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:01.702{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8173DDFC6A75752C685DF4E1B89191,SHA256=E53515E2DB29F8DEB5A09C3A5B1D01E03488E32C345E61E42D5C006364BDB8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:01.664{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD523A1C25D7DE503E0EDF4DDE09865F,SHA256=B402E9C86E3571E1B50D7C2E3786840DF7C4786177129D2B32F5806EBD1862B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.725{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE22CCD6B6E9AD68EBE691E903B46C2B,SHA256=B00BC7B62D8024F01F263B2B3EE3EA511C7D53A67F8D7E5D58D122E39B7F14B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:02.718{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36904341D151F46AB1BAE7FA124CCB0E,SHA256=BBDB7679AD2CB39201A6D2CC23F7F6697287B377132A44974AB24BF5F607A254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.026{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=565167A061EAB3FE53C2035D64AFAC61,SHA256=05FE14DEC0CB0B76F4D3225EEA5AF186151D59A13E1B0EF1EBC118EC5DBB8C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.733{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.733{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F46DBFDD784DBF79337042A8C84A3D,SHA256=1798E4100DBE6C4BC4446CA1ECD5095236FC57D22A9D18F90AA25866EB0486F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:03.743{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CF356715D5743FF9DA3E5134737968,SHA256=1E70E06C72F3A76E2EC0CA2A9C0901E406AAD9B9347B72482424462EAF7DD97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:04.764{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5B08DAFD85B9D7AF7B33D3CA41CBDF,SHA256=1175892B1B0F456826FA870A7FD54391C17BD53FA3FC43C1C9E113862A9AA923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:04.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E142267AFBF44535A6F520CD0FF0070B,SHA256=F3528829F53A5478606C52F9A523DDE9F27762CD3B27CE4014E778C5D0BD82EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:04.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3F336B14D2F80C73D512C7A899980,SHA256=659ED04732CC81E6DEB7B875C0D8FFA332D248955BF45761D94CE4A03787B3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:05.764{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716CBF8504D72738B04F378CD108B472,SHA256=FE1F3DDB6EDA718C216080454857A12A3C4B8E256203B1A8D95FBD41B77482C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:05.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0185DD111A9543C5CC0BA438B3D14418,SHA256=342E2930827D65A2973C61C9478036DD84D1B639A7374FE30A08D03F66D17096,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.938{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.501{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.698{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64288-false10.0.1.12-8000- 23542300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:06.778{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345FEFF301A3EEF4EDCD44744BC4F924,SHA256=E08C526E8460DABF3D7DDB31E2A88D0BB8048B9156FE2631894868DE701A99DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:06.780{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB075146B732DF61989BC311DFBC3CAC,SHA256=EA8AC3A9A4B9B844AF91266C1CB4FDAC9829D560487CD960BC97823DE4E7E7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:07.808{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66007DA1414B879AA55F78B953CEE4FE,SHA256=BF19AAFC277AF6E0E8E561181076E86E21060F1BB9B17C443B495A92CF1F7F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:07.780{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BAC5B96D7D06FF4EF7F6569EADDA48,SHA256=57C02F26CCD8716F92540A6E1540BA85321FBE8015F5EC33FFD39CFD74325F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:08.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBDC0011C9C9D4311087BA58B89D59C,SHA256=203F63006192E99BF598F422BDA8908C8ECCCB3FDB2EDFD3B2B49FFBEFE8972C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:08.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCABD541E9D49B6797FF6DE17A8B4E8,SHA256=0627803A8CC91C63E1D8ABC41E9E1ECD298E54241C97E29B2809C7C875EFC71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:09.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0C2B5465930B47A9C2D0E29808AEED,SHA256=7CDDFCA970769F783DAE1F0161648151010000E3323F839386AB8CCC4CCB58E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:09.860{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B055F085395CC85E0423112CBB648,SHA256=8489BC4FFBE1524EE1C7D480BFB42E9D0762DA9B83CBAEBAF191C2D7B6F21624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:10.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D257D8419966448B60E40E251268200A,SHA256=3359302A96AE264961360BDFECBC5D086374D35F8702EF4BF61FF83D79348EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:10.890{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F2E3525839268429C351FECF864584,SHA256=28773F4AB608D2877AA608DA434486C99D7E51DC5D8CDF70AEC439DD10A7A367,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:08.674{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64289-false10.0.1.12-8000- 23542300x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:11.921{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3C91B9F309315C7212478A688D79B6,SHA256=676027D9688AFC52D7C6E1EE73568802E1E00569E55FD8441F717D4FD8FD6D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:12.958{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C469CF12F8F4395EA32AB06DDEBDFEF0,SHA256=FE5A161D5BE84D026241A883745CD377765F1BD03E5A6266D632F52CC7CA0108,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:09.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:12.035{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4416994F92CD14EBB0E697ADEC4344,SHA256=B8FF030CDE338024D9BBD751E2F273E129FE6DF6AC7712A9ABA01A2F5A50077B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:13.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F4F099EC1F5BFD4B757DFB5BA921B8,SHA256=27E30AECA9081F7DD3870123C70B29A8065C780C3EF3139D0BB47CBFE7DF4B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.676{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.050{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8563BB58742DB6373FA060F31056F1,SHA256=4AE4B692AAE18F542CE7BAA08CBDFEA3F9839EAEE20B56F474E43AECCB510763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:14.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8452D44807A9836656BEEFF816B2EF,SHA256=7E8FE6ABEB9E041EF60D64152A0D7B46A44B40588F4A1AE5029E613F73A773F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.988{82855F7C-5806-6112-7406-00000000E601}3124960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.833{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.753{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DCF3CD541F404AD4C79876ECAE39047,SHA256=71581CCBCF33DE5F5A77C8F50409BF79323FC78E63399387DCF0EEA8E8CD0CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509C22B6D4E8FC059C07791B821B0477,SHA256=B5201A3F23A3E2095C81E00CA72F98F11AF861C9D3357B78CC20136F95C00AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CACAD8A3A9C6A152FA11D8830866237,SHA256=9C2A2037FB277260428A5A9CC325B6B1F008EC254F04316E624D09142CA09ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.177{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.066{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F699A3C8714B753B1235D989BB1ADB8,SHA256=F2A88265844D2E32FF1E001297D15D3D665E4744EF8074B305BD3250C59B387B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:15.991{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11734243F9B8629B69F8F7CE849C877,SHA256=0856AFD2B264436F2EC0EC1A59476E622A203AD84FA22FE75A32F203A7DB799F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:15.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509C22B6D4E8FC059C07791B821B0477,SHA256=B5201A3F23A3E2095C81E00CA72F98F11AF861C9D3357B78CC20136F95C00AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:15.191{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F865168E099C5138F30364D349C34EA7,SHA256=3CF593392488838EAF31A179FAC7B947E8DCDAF8DC8811173CEDB199455BCA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.863{82855F7C-5808-6112-7606-00000000E601}8842192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.692{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.959{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.207{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBE2A016344FF55682A94490BE50287,SHA256=FC263DFA34B27B3E1C9F15460C1F047B9A7B5ED8CF75F740E6D362C5AF338716,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.160{82855F7C-5808-6112-7506-00000000E601}20082588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.020{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.535{82855F7C-5809-6112-7706-00000000E601}2460800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.364{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.253{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A3235940C7BC53B37E783506C64DE3,SHA256=A40ECA2451B37880D6398C12560DF4ACECC062FC733BE30F8B5DCE618445C813,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:14.673{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64290-false10.0.1.12-8000- 23542300x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:17.005{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA17E40E038EF074609D74CF842D2732,SHA256=A1B435E697A169CE9F343DBBB26BB8E584DDADA417E8BF2A409FEB209484D230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.035{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5043577B7238D21AFA8BB208AE2BEC6,SHA256=8F38B1E68F44C114ACE8CCBA298050ADDDD621BFC6C0B3DF0B06F99C1EF5DE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.613{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F09944884806946FE25785F374F20F1,SHA256=ECD444526A89061FDF9E52B20732D8D5A9950116363B8581B423AAC3683FA02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.613{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB10A5BA7340BE21206D0EDCBF22B81E,SHA256=8A1C627207A8199EFCF2471CCFA7075CD8F58DEB048CF909C6F7E935B872909D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.542{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.55.10684561C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:42:18.489{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.55.10684561C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.020{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC9A65B9B61644B95E829ADF4DB62DA,SHA256=9B865530CBDECBEFEC1415F7675DE08B7227F746C48C9FCD21305CEF56E04235,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:19.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F173B9034A73D9DA5735698FD28016E,SHA256=36867198913FBD2F0BDC69723C4181A6C4931F03DC32E6FF6781487C96ABBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:19.021{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D433BDA085ACC1814437C7EF95BA2CF,SHA256=DC617BA7CC6F4429AAA89715F1C5435EC6CAF966B050DD05F3A6D4619515C46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:20.660{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A79C7B305AE55D69B8229202DC9B4B,SHA256=0F18A51F8D40E34836F40A881305DF67B6952D7876640E8855469885F36BFF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:20.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB94C1AD1EC02CE803B33D952845519,SHA256=7620E9403A0A744AAD297BD57BAA78A8C72B00F5F24E2E7109673C8597E92951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:21.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7816BBAF9866EF96D98A7F1992D663B9,SHA256=B97D8B0D9B89D99D57F30549E27B332C87B5BAFD30A273EB574D5AA4F6C2C1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:21.089{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E013A5C81F7E140C9BC1C8506B57341,SHA256=1FAF539AD228EA43DD7E0388EA43AEC2A40D31C346F0F1F8B7D10E764878EBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:22.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9E8D01B77511F3768B0E5A19D31E55,SHA256=B287D25DCB9C2452F8672576CB4C02C19E81FAD84967A328950F380E9CE3A071,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:20.456{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64291-false10.0.1.12-8000- 23542300x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:22.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BB4254ABDCC908B5253D49E727EF12,SHA256=78753C376001C6E557656DA56B2B2520A46158C552C90D9D102DD84513F699D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:20.880{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:23.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CCECEFA74466707B67A548926834D6,SHA256=5D08B09B438B1F3A83EE01CA63B4FA012FD5A47C87CBE3E1BA42985A80EB9B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:23.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70284DAF6AAF423D4968779091A5EE43,SHA256=2CF5D539D93D6BF6D7574878635D626D9CE5D253A9536F0BEA124EFBE77C3AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:24.863{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC881A08027D64C3B8C446DFD4A1B642,SHA256=7D5FC79A0CC0E4D3CFE3C74D734117D886CE5A15E13142BBAD5990F906C88E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:24.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981DA3B81CE11C19C08F8DD8B55CD34E,SHA256=F192394DEA17C30725C0A3E0D247172399750606BBC0E882D33738B831F1EA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:25.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120A0E9788DCB40EE3D1DA4574612CC1,SHA256=DA5DF135F2151559D83B341CDC13AD3774D6C71812350F3D426DD5086D6D968C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:25.137{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780F5107E6F518939415C4EB289538EF,SHA256=30346003EB0E361203406ED7DC84E39E9E231E1E32D2C85CF288DDD35C1EA8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:26.879{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBA090AFAC6692C53C92F02FB2153BB,SHA256=ACCD0891549796DCD7498F69252EDC184E9F121E32E2CBC3A5FD2852FDD7FB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:26.156{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F71339F06D96F2952D79622A447A050,SHA256=28441B0E3C6CBA1C1FFE547BF7761038DB37CFE5629B2F0443B8277DCEF727BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:27.941{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B368C647428D25262AFB0472BAD1FB0D,SHA256=541585C8F8C8D000A57D5279E5700D0572766499486C8B4A63AED9C7D97078F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:25.591{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64292-false10.0.1.12-8000- 23542300x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:27.186{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB6172D031850F127BC9500C0334BF9,SHA256=0FAB85D6F5A2A4A7496C8A6AFD76F4EF56C1B5DE865A1D28F1AC42824D47221D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:28.993{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A0CEEB6E28064BABA6469938E5DAC,SHA256=CD01EC49115055079A78ACD79FED86BE2748BC38FD8B263B02340A23401BC2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:28.201{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DCC709661328EF3A0E0839D1D83D36,SHA256=C2EFC7C27763444142475A988D8381F163383D82E9BAFDF139F5DAB0172EB51C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:26.865{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:29.216{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4690574327DC13CB1B67F5E34E833AF9,SHA256=DF03C1DA7F3DEE4209D9ED6295E6B1F3F875629DD7C2AD86BB9ACE22422CBA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.568{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0588C622938F5B59CCE6B4EBDA772074,SHA256=BF0D1BFB30B2EFE03FFD33786385B3CEEA85F15CD3F4A04230BDB45D54135EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:30.024{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3957EFEDB51CA8704F12497106A6D9A,SHA256=43829141EE10A7760E2C106B934C5CA053FE05AD4CC511B77A546042634CE3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:31.055{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C522FE98DD95CD133ABB9F9330DFC2,SHA256=62AB4E144CBB23BCF1AC7D807701876FD8166EA547EE7FE302A9D4C1E8669B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.252{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4567A2A04C064902622D210205986B,SHA256=CE66122FFA48EC98BB753843DBD9CC996739F04CC62F43365734E5234E7943E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:32.071{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B4E9B73170BE44DD72BD95A1688E6B,SHA256=1CCE8D4057254871E9EC551C688DD05B4A3BD1986247886698B8507D07816532,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64293-false10.0.1.12-8000- 23542300x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.882{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5189497DC2AE22D48C7D9741BBDF277B,SHA256=12621CED297D00CC51F1091A26B94CF5DFC35D5D972E2C0F4402EDAA15199A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.882{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26F7CA2BD956A050FF16695A1ACEBAF,SHA256=6572CD922A53686D7F35240D997B3E0D341B85124DCCDDBA51D1A9B3466B6255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.267{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3C4208C61566C79CCFBC529B9D3132,SHA256=BAA3C3EAB81D25B803283551846887D79A2A63E2EA31E5FCA7E60E0C7C5FE50C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.287{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64294-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.287{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64294-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:33.366{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:33.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8DB44C181BA9FCE54DD4AAA0E6C0C6,SHA256=98469F1F1126C3F4D22776AE82B8DE3662BD3EADFA584FBF6E26E84B02506871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:33.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D0B4576FB2B330B299B7FD7ABA0A22,SHA256=40E0EAB4078DC0C7AD6F2AB0CFE360B08204AF2A87D912FEDF9BB20C4ED8757E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:34.331{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD554DD0A282FAC0E3FD905BC97B6B16,SHA256=CE79AF0D7C1B0B24352B70F6382582E5E31ACE225A514153E2E4535939B15C87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:32.901{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:34.089{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E26CD1841277EE093B20EADA5A80820,SHA256=7E8433F8985A08887B608C61D4728C09E426C31B42D5A42D081BC9203FE86BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:35.350{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE61840569C760F4122092892FC9AE5,SHA256=527EC5358673DAAA5C6B955D4ECD036DD34E802DBE09F59411D2386559FFC256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:35.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2028552AA5A30072DA9835689CB316E4,SHA256=9E66D273ABCE88C7167BF34294D7043944B723946979EC9732005D6DB873EF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:36.365{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F8F2CED1220D0E05E36C2403A7581,SHA256=A7F4A103EE18F6CC1C00610EE7892B1FCBDF193C52080BD5146394317B9C00CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:36.118{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE739CA51F7A519239AA447B8F7CC27B,SHA256=2903797E9CF06A0D4969257C7784FA6D33041E3285347B4AF011C98E6D908BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.786{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64295-false10.0.1.12-8089- 23542300x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:37.379{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A066D928C763CF9DFB5D1B288AE7313C,SHA256=337E06E09AAF3622E20060AF4F815995E35B21E19D8090CA0F659B73DFFFDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:37.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CD3DE7F89D3CFF4681F9C40D73E701,SHA256=72FC5FDD80D6FAC75E142979A2DCC048A6C7D3866E90D750B804623A0EA59BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:38.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2BDAAEE9B63796B1834C894BDC82F3,SHA256=EA6187752F2442509DC35657F33822F11C537C1491B51BE063ACE2071315A5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:38.138{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201650B241DE2A053086C84F918616B4,SHA256=B13AC551848C3505D50FF6693F8EB5B119481CFEEE9DE4C2D752081D16D78DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:39.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E384728B010A987A604497E019F78E7,SHA256=E02038A1A5046B71E3725CB34E1E4E4E6EDDDF2EA36ECF00B50D5DC6B22E53D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:39.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A145F3F111474AC6607C6D0C8DAF7,SHA256=E0D3EC7076B4D75F5A01305FF1EE2EE73BB0186CE485D2DE77A6A95FE2A667A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:36.562{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64296-false10.0.1.12-8000- 23542300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:40.429{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BBA078CFEB6DA4FC21BE6D2B233D4E,SHA256=4C6D4A963A5D33D206132DF8F949296FC5100D3038F563469E490DAE64D9CF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:40.165{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC281708249700DC910C6AEC917CCB7,SHA256=066D8A7C2CC7F20A509836A48C115499DC41DCBF4A4DED01481B80E6B2B79AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:41.447{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20668315DD78B4CF3A7662ACE2EC0D,SHA256=7B4B9E68CC8D9A010D796B62E8056B8916418CB9BECF53A213636F1828437319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:41.181{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6230E12427524816F412813D61A3715,SHA256=49254B99C383200FE8CE4249D195C572E9C7ACB9C59B0212B8F9B1066A915D3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:38.871{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:42.450{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21C6A869A0F7790C2702E9AB3631BB6,SHA256=BDF402A94DB327AF2CFA8DFE5B2F5395C38363FCC68251498DF1E157E3E4D46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:42.181{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB8ECE4F72F58CA7EA7ADA5382E50A2,SHA256=600EF83D1E3B0CDFE66AEED9B32E781FDD5858E6FD2CB939D2F43D9D3C9643AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:43.465{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579902265171A3C0BD03DCD1D16A7389,SHA256=385E05AE9CF0C86C99EC5A5B7F155BBF8E53F40BCED3B831B2734E3381298E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:43.197{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE8E9F6C6EED2C570EDFC818AB48B23,SHA256=B3A67BF168E13F0A8027AA58F41A1F2BBB511B0234DFF98DB07DC60E97F6FB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:44.469{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C56D84CD4FED19777AD76944D67EA,SHA256=F0825C7C4779E05389BA37B0ABCBF8BF94BB48F8ABCB2A93A2E263FBC7A09ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:44.197{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582EFA8B223F4A7396559F4B1518565E,SHA256=677A43792402F644B25BFFD1E51214F11B7D47DC8021A3D6749D6664F05A507D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:45.483{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F240F8D6515CDD541AEA612841D22E,SHA256=8BE2601CD8E6EFE35F6BE1A5E8EA0A33B6AEF951D1FF28BC0EC6C46A9FC01C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:45.212{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8DDCEE0710DD79E4CA074006CE0A0C,SHA256=DEC39CAA9444A240A22EC432C5E9871C40DE1544F06C8E2B7B8336D45484455A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:42.517{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64297-false10.0.1.12-8000- 23542300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:46.498{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:44.042{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:46.228{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E9D998AA4A68E4147966E2C1EA5DCC,SHA256=0288FF9D6B74EAB0CD3E360FE250583B6148DF7EB0E830A4F9B44A9884C17781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:47.513{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5F87869A050344BA66747EF6D7BF3C,SHA256=B40FC791D529C75388D961C4673F3CFE42E896099DF3D16569CB97AE53F58A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:47.243{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D166DCCDBA175FE84EFE37A8F21DBB,SHA256=0F01165CBC476306DB8FF4E2F6ABA6F387D94FF9938F5AC1AB80CE6C778F5562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:48.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:48.259{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2483002C810C94603D4D244BDAB76DDC,SHA256=4F2F188CF3F2552B46181DDD8DBE443F9B5F1791BAB44CF3598A5445C9EC9B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:49.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0D03EB6B887463B29513470C96743A,SHA256=3A42F029FD36DCBC8227616B8ECF1B7B2C11F8FDE683DA7A9B3B34B1A87B8EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:49.272{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4ADDF981128448F9479FE445C9C68B,SHA256=CA6DA3CC864FA9993D7627DE6A64C09942DF549B627B386978488821EB2B0033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:50.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271B57E75CAEA5FDD5FAAA657852C461,SHA256=9609D6F4BDB3C37105D8983714CC0A057E590B6AAB7600149CAF56C7A2C0AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:50.288{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB68097CE1FD16EFE9A121DFE32546,SHA256=39272CB4D5CADB0E2F7DD5328C49EBA191E37626B504955FA94F293372329227,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:47.601{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64298-false10.0.1.12-8000- 23542300x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:50.149{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8b1a98.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.611{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCE80267C771E68318493EDEAC293E1,SHA256=3157789636F63B4F664E581C32B92E49CA8A703EE609FEBD827A4C4C66043797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:50.024{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:51.304{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3788306D9A5F605BC16C73A01DF4CB,SHA256=E00583C4C058F506149E7A302C9D17F4002DC09325A63D872A1347CDE04545EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:52.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33615C89452ADD1F1CA4EE04EA91EAED,SHA256=2B803F8F95BC723E4F7860E2E0C3D516E715654A8FA13CFAB7BF453EAAF09DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:52.319{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE558C448FB1A358763FAB9F6F45D3B,SHA256=03D06017F0DFB77F4D91A5C17AE36B3E5C0605B10BBCD03FF2CB120E7ADD8AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:53.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BF82ABCA0347EE90E98D1C38FC4547,SHA256=4B5F4139E114A0DEAC773B8CAC33625A62C292C06D872E012B8A1FD394CB6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:53.663{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDB49614A51919108489D244DA35DF7,SHA256=601243BB33AFA9A7DD9A0BCD73ED5F1F820B41D6D0D08E5ABDC56DBA18B0DF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:54.694{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CA7600B2F2F178C67A434160DE570,SHA256=D6F69BBEA7B5C4E6A72AA971A2A6BDB39B49A7DC9059C20B84B3ACF30E93CC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:54.350{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431F1C530C58B8602A01FF895B2C46A1,SHA256=9A3A4496E506AFE45939542797FEE58F5026003FD2B199BD1DD365B96B6F3F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.910{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE271BD1519A0259E7F7E216BF115670,SHA256=1863FFAB2E2ADB38AE7BFBEE2C08568437B11788F6B7950B27FF95FB1551B7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:55.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFD50086955D1CC6DE0104284FF55C6,SHA256=1431B12654815409E5FA0DDD3D40CACD7EFE4FCD1DE00F53295A4C03A3B38B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:53.614{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64299-false10.0.1.12-8000- 10341000x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.247{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE119ABF92C352817C29CCD873BFC7,SHA256=CC11E0E82BB01E687392AD0C9F3B26C7F960957015E8F640281EB187C58D09B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:56.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126D09CB45F2A8ACBF246A861F7136B4,SHA256=D2079F7C048F5F1BD108CE2E97FE1139ADC1544D43EBE225622A8F2E75FBC4EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.528{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.525{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.525{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.524{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.261{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011240D04A49A6A7093539519FDF2535,SHA256=34AE46F65828733110D9FBCC4533B11C9EB6C07E114BB93BFC750AEDB114612A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.261{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5189497DC2AE22D48C7D9741BBDF277B,SHA256=12621CED297D00CC51F1091A26B94CF5DFC35D5D972E2C0F4402EDAA15199A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.061{82A15F94-582F-6112-0208-00000000E501}54483476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.976{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.807{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0E3BAA63117CE87C02FDF4BAE09463,SHA256=609395FA7DEAF0961966643D51B804D15C13455676B85A0246CA9522DBEAFA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:55.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:57.397{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B5437C3B8FC1CC8170ADA5C7292F8,SHA256=34F4355CA71ADC556C2C7F2F04021BE9A8E3DC931D535DF4ADE7340ECDA91E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011240D04A49A6A7093539519FDF2535,SHA256=34AE46F65828733110D9FBCC4533B11C9EB6C07E114BB93BFC750AEDB114612A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.507{82A15F94-5831-6112-0408-00000000E501}40485460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.308{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.828{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A249D77E7FA2CBA32FDC98018520BF5,SHA256=BDA467FFE947AE296426667C131FC930EB27805FF01DF2751FFD9B7E85BF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:58.413{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01093EC3CCF7D13E67767BC527D8F884,SHA256=4BBCE12ECB0B32B3F6EC135E98BB2FEE735F06376D462C9610A2A422B1FA261F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.626{82A15F94-5832-6112-0608-00000000E501}1020520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.476{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.128{82A15F94-5831-6112-0508-00000000E501}67843984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.874{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F852124AB79CB185B2A5F6B1983C2,SHA256=2D7C11E1369B2CC9C5DAA93B6DF4FB6AAC1BAD6ADBB8698F317D2457A454435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:59.429{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870BB233A98D46C254E1FB6F573E42C0,SHA256=2E541F161BB644B1E00B1675DF5A91317B235B04CA857EC42AC1407592444AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.093{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54216F179AB5C0AD2EE0D98CA25C316,SHA256=C0294D347AE26803774A13C0C6AD88156ED7718352275B33BAB3E183958E1CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:00.905{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A14281F7074F499BFA866FB9563BDF,SHA256=A610D4EDF47075BC7E8A70BD2929158746CE94124B7C7C6AD04B2492A8C01204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:00.444{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F89B15FEDC27F9D760CA20D0A825695,SHA256=248B59E9053E736FF79CEDA439B5048FA8E6C1F95F0A6EFFBE99F704EE2109E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:00.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842DCFC95BB40E926F2249C3C6ED1FDD,SHA256=533DAEB2F1F7FE94C0218CE5E6C6A49B1754A7E8988D5C8494D1E11652391A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:01.923{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEB708915D24D046B49FC0FE21A43B0,SHA256=616DA764CC317A2B19AD983B42C5CF127665AE6A810621A968880B4B6D637857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:01.460{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476019102BCC706C97590599ACEFB22,SHA256=7EBB20C6083D499A42E28EF9A6ED9EF5EAF7A41975E221960CE59D1D4C0BFB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64300-false10.0.1.12-8000- 23542300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:02.941{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E990781C7D179BA35777337C9A9D953A,SHA256=224600BD53C7C270D1B3498FF4CF743B75314B76A1A0C7E7DA6C0C8F646A950A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:00.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:02.475{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D513AA2F217BC64976DA1D9DFD3D6DD1,SHA256=DE4D61D11620FCAAAAFA868FBFAF1F0DD0BE9CF95392ED28BE0556ABDDB1B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:02.042{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EAC6EE9770F74DB8C358686FE91FDA5E,SHA256=8D8356FF686AA5A2B62C0FB839C3AB9CB158B7AC536660EFF9C6083B2E743A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:03.956{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5263218C099DB4C818387753F075D1F8,SHA256=C2EAEF762B0EFEBC6B842056BFD6AFE53C04FBCCA75A01408711DA0F308709B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.757{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.491{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB8792B41D968EE27206AFF3DB99261,SHA256=5A5441BAA07DFA9DF1C25314EBE5D23C39F9CDBF2DC8366E2E528914B7BC5603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:04.554{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB854D2D3F0FE882A0CB1A4944567F6,SHA256=7FB7293B7A7BF4C1DE2ACF2253B5BB820C338D0D7BF5A49DFAEBF857BA241478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.917{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.917{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000032067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.524{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:05.632{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE01D3BD9FDAB659DD5E3B9ADF0C911,SHA256=B7731DF3AC5E08E20902C6933CA3A7533253F148F54C8C28A99D6E8C3FB8A6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:05.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC0B34A7BAC7791D64DF385449A3629,SHA256=381A64163EF6C6688D59AC0EE74F6A0D826DDC696F4A8B3031729D5405DC9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:06.663{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CB0557DA6E5696546C88C260A299A9,SHA256=498C62EE40501C26635CCBD74F1E4BC019A59F8BB52277739FA6283B182542BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:06.353{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BD8B2776113A2AEFDA664E937EBB6,SHA256=F2B38FCE5B911EB849BCD1D8A764558C9B01689FBD8393FAA4D24C1EDB8FACB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:05.899{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:07.725{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B89570E97829F7B70FDA533EEF0E68,SHA256=4CCFA017D704204BC986E5BB92A3F694DC2788B3402B7B1D4E2FB4DFC7C52BD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:05.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64301-false10.0.1.12-8000- 23542300x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:07.368{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69A07781C2A2DC183954207F817AD05,SHA256=8627ECF17F91A6A2E5821CCB056C1254ED60FCBF9962585531D6A14AD897A95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:08.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A9BF1C80176DD874848943A965415,SHA256=3EC8A72EE0449C20CEA5E9A85748936CDDDF1E177CC2092F1545CA788FDC2E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:08.745{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96F6C7F75AFFE16BD675424237D806D,SHA256=AEA5E3DE27F54B4CCECE08E4758EE62F475954B884C3975AAE5829191E731ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:09.745{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910828B82E6005A34CC608D046864694,SHA256=7615ECD6445CCE2EDCD2B23716ABB2D7794DEB0C3B04E6FB49BB2C7B7C12D83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:09.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858BC4A620A48E72A8504BAC22DD1882,SHA256=ED2AFAFDFC7ECC3BC34A75682E28886824B7D6D6FF4FA9E3439CF36B18134107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:10.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAF77F429ECC36BE1461A18C3C0B717,SHA256=9FB293FF6CD4807E313CCEE899EB44BCC996842EDD74ED40216D3E563F723275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:10.416{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2B21B9F643B1C3B5F100C4F90F8951,SHA256=433DA6CD5724D2353DDC44626C9A11EACB2555E4CAADE236C833F0DDFF6BDEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:11.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F2AE916BF492505F2DD9DA17463678,SHA256=E23C4FC9CFC3FBD74AA5639A85EA8A67319D4766777FC7CB522764EB9F34BCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:11.465{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13498B4489C625B9D5041B515FD2B61,SHA256=B99D63B88CD446E2D43E1A1EFDA3B34E19F066DC0DEDF83F627A8B6CA5585321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:12.870{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B674726A94EBB425FF4EC906DF905455,SHA256=346B50C0EB23CBDFCB038C6B433095A5165CCACE23F51098AFF096B65C8CD22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:12.480{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EABB4E340B04428DA6CE3F3D8CD5BCA,SHA256=50260B51320660C9F3F5F4ECD91F5C33914AEDE993C7BEDA50AD3823FAD58A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.886{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD51617753DB0A3DEC0659437F09E6,SHA256=91116B12B1D5BC02C6F2D162EF2F4017D10A4042E4FB3ABBEACB730707A2E918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:13.495{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593CAD282D9E98B9FFA2364FF06CE0E,SHA256=0D27A84C56DF9EE0E278223309437CDD192F1D83C605660B51147606A9380AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.668{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D995E31CD03F02359026270B1B57B9,SHA256=7FA325B53EA4524C9B89D952E078C7D073D2D85C018350A3FFF135756AE3633B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:11.584{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64302-false10.0.1.12-8000- 23542300x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:14.513{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E545C2820B4B05C5A6B273BBB3C75D10,SHA256=55F29FD98E6944E3CE5CDED3DEE54C45A31708DAE1CBC3874BB5E53218B8E997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.761{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A2A937088EC9AA8CA8E259F10DB801DA,SHA256=BF88F28739B16B488819F647FFC8181FE10853723DE690C85FD2E4F87A140113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.698{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289FFA848B1B836BE977EFA8B90444E,SHA256=05B2A12CE6D726EFF1DD51DBEBFA6A572BB503EF3156ADF21E0F45BB06BEDE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.698{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEDCCB4735649F9583DBBC8002985DC,SHA256=65E78B8839B23D140CEC74818739049C827B643EAE1AC1BF60DAB7B7A5AD2AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.479{82855F7C-5842-6112-7A06-00000000E601}40122636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:11.887{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FFC179AF2680D257ED7B2CEEA8A56B,SHA256=D0D4F93056335470AAA9F630BD65DABBD48E135040E0482B24602740BA6545E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE161F031B257353DC8204F60AF3BC0,SHA256=100DDD793204B4AC4FD03DFEAE60651100C13D61F7A60982DC26EE1B1F1C954F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:15.531{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BB989B730455DED047A8984D7C009B,SHA256=B15BE3B93E33F08EA0214E24E182CCCB8649B72BB1B290E1BB19A98837F2B65B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:16.546{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D33949E6E7D65A9212841EB551813C8,SHA256=548CA2C60755F17EBD32D531CF466DDFAA25381190AB5D92784E781FF8CEE974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.839{82855F7C-5844-6112-7D06-00000000E601}30763584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.699{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.182{82855F7C-5844-6112-7C06-00000000E601}38123636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289FFA848B1B836BE977EFA8B90444E,SHA256=05B2A12CE6D726EFF1DD51DBEBFA6A572BB503EF3156ADF21E0F45BB06BEDE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.027{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:17.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CF8B1DF4E196A59B1254C9C74C847D,SHA256=6A3A39C5532F14B01C6D7D48784D7F14BB502C8C5AA6D19A0680BE5E1D88319A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.871{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77563301710B866CEFD88075D58E6405,SHA256=E90058AF158778A755FB7B9BB94E032D99A5920648D7184EB128AEA336048882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.464{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A370A476DC133E8E264EB85955E23881,SHA256=3E8165E65593CCA5D04FD217294997B3B582BBF851C1F749696E22EBB40BB72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.371{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B7C9CFCE31767B9F15FC55502FAFCD,SHA256=31FA1EA88CD4ABF08B93D72164218733673B465816A80F3047C715EC8F68C58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01391997AC92F30C896C1B3EC5B79C31,SHA256=3AE8EA0DBC646A7F2CE3C4F957638CEB280CD99C74F50D02D6C5D7DE650C5E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.464{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06ED85351CEA34430EAB2DFBEBFC137,SHA256=8DEA7E9FB5240BE28F4A8CC156407167E0629A649A48AD4E629D0ADEEB32308F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.529{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.56.102192821C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:43:18.476{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.56.102192821C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.073{82855F7C-5845-6112-7F06-00000000E601}22402928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:19.511{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1282B689899E2E2EA2AEF7F131821AD,SHA256=FE919EA7E464516D5C3A62955A360E36F1C594CE440612EAC3493F2D6AA848B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:19.609{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C7D5B3EA3370631B1EE4EF1E85BF0B,SHA256=6966FE48FBA8176EDE7B2D2C6FD667EB9116F3739EABDFB1B465B345C8B9E738,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.902{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:20.511{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8236339BFF08E5B2097F4CC644C17EEE,SHA256=95C477E3D2E99BA3E6741897C2FAB3CA7DFB9F9D490E63F6CBA6FEC8E6A2678A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:20.675{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47E75ED5C8BB40A9ECA0661BD15FDB,SHA256=C88797BFBE3EA5AB1786171BBC07DF4F7E3C5A1B663E96B3861722AF04716512,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:16.597{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64303-false10.0.1.12-8000- 23542300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:21.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F7B6603684A7C0056B0BE3870D4077,SHA256=ABF65CC00AFE23D0711DE6B45073ADE733B3A2F16FEEE47C87DC8B569B62CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:21.526{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C3DB782B126A1B4A090C1541218DCF,SHA256=B962D38A1B3328C0301BA974CCE68029DA3AB36916FC27D203DE648C285F128A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:22.712{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F885DA89CC49B6F7B439D127F6836545,SHA256=29913E68FE3953D6B76F11A86ED32D5D354883DC2645EE3D3A93E9CDB0ECFC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:22.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD5FB8F1ABBCBFAC25892383E467931,SHA256=785C5FBEBB139F52184347E9C6C0A9F530417F0E10AF42D633A43EC8A0C3C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:23.731{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6DC225FCEA7944A8D308DDD84B3DD,SHA256=EF49B3B640741179C2383B72693541BBF033E8CAA271B0AD2FEDDC9A2EFB0E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:23.589{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD953B2680B204267CAF58294971A60,SHA256=631A5032E304BD770935C7C54654F7E0C0D642F8532E2024CCD75A7BCEE0FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:24.636{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF51966240E14DF3EB850B868472B7B,SHA256=6C80D144031CD1B3D409840DCA0300A2B3037D324668EF0564EA565A36EC42F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:24.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C660E7278BDF833309E16CC0143E928,SHA256=74B7DC095FFCC2B0FB1CDFECA0260EC206B8DDA800A6666AD8B9A0D164EB95DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:23.902{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:25.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6263EE7E355D9A29124BF42260D6C7,SHA256=DE75CB940A1A0FEAF000EB7F90D5DAD9D31A1888059335160E911850566289E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:25.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7795E51D40421750903A2EB41ADD781,SHA256=AA345CF3A8351A53B30E4FB30BF2AE5D178A3C9D173FCF565E9EDA94CA7A9A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:22.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64304-false10.0.1.12-8000- 23542300x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:26.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990343FCA8E391BB5E8BE8E5295A409,SHA256=87CD7C80905B6C852C570022F45368244DA9A7EE4592AC8AE5AB0D236FF078B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:26.714{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49C4F13F69BED2614ACB5952ACEBFB9,SHA256=DA39336B420BF1F9700EC9BE3CAA5C9828C374369BDC61923AA002C6F7791EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:27.809{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E801B9DD70C9A542DD5668C147F68,SHA256=FC04B2D7C634A793CAB607B564E049E1A6EB7AD9391D7BCF3191B258318F2751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:27.729{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF78060FEABF3ACF8DD89F89F547BDB,SHA256=194E8E2247DC6254E3BC3395C7DEF6B24D7B0F9C2862410AECAC328C22A66FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA1DBF0FBC434DED879AF16D115C3CA,SHA256=44328C46562BB4C51421976072CBAA302BB92373BE4B2D20C867AFA753C5FA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0277B3B2CB50008568E43766D725F95D,SHA256=E14088D767FCBE10DE6ECE7611658265CF719AA1DC22884DA0554508C1FE8760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.828{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772E269ABFBF8A90AB5647B92B8AAFCC,SHA256=13D483F5CEF096D89E6476F2C3B221E2E7277C1B6DA96B2DC9F3793C75DCE676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:28.781{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63DFB7C8BF141529EAEAFF5D84C5806,SHA256=09256276625A5D667E04C9915D6BDF0265361837211522AA716EC8E65E53DC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:29.812{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9954DAA79914B7DEC201D493D5A310D2,SHA256=E07624607F071FC45AC045319AC1490A7EFC79EB0AE3DAB9C0BB667F40FE6DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:29.875{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBD31A28A1BDDBA4C6BBA8773205358,SHA256=105A116DC5274706F4D86A5A4F9771841F00494EEF81D3794E4B4B69A93B7439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:30.890{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478662D60F15B83A662B5A25378DECD0,SHA256=821001A96F8C4CA557577DEB2175F00F4C7C7526C3F0F8EC19A0CC8CA524CD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:30.812{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21414390113C04DAF9029816535F90F3,SHA256=09361DFBA627A70FA6C57B1C60D8D00EB3D29BA817D7A94907845A929E571450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:30.559{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.908{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642B6941BE0791B5DDE31CD95A70F54B,SHA256=E44DBFB4E8A4BC5EBDAB487D417D84B834CCF75A29086B5DF276BD6A5DDE9372,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:29.845{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:31.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED1B5F8C7AFCBDC7E3E3EABCB4EF5F,SHA256=F55CF362094AECD7A27742668A3B0C37393F972CAFCAC485F60287A8A5085DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64305-false10.0.1.12-8000- 23542300x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319DFF6DACD1F4ADB0EB31DDC102A0A6,SHA256=9D89F348F1800D56E5AF0502F3B9EAEC7900B8716648793265AA6EE9C33E966E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:32.843{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7F07C1494C37765C91F4FD8B59BECA,SHA256=D98589567741ADBA50DC5DE30503A99FD871E0D6E31D5B4FF7EC769D9D7D35EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.873{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA1DBF0FBC434DED879AF16D115C3CA,SHA256=44328C46562BB4C51421976072CBAA302BB92373BE4B2D20C867AFA753C5FA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:33.988{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456C3A8BB8D6E4A82FEB80142D740C6B,SHA256=6029E7BBB7C8AAC29F89998E6B5EFBE527B7B86E12C4D4B4C0F79831CA7F2F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:33.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DAFEB502EA5D1574CA49DF0E236F55,SHA256=E6AF3AAB26F5EC75979B7E0758BF868C497993C6F8F0FA4581CD0F29A376A50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:33.388{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.294{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64306-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.294{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64306-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000032202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:34.875{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8555678BF85BB8E0849B5A469DA16A,SHA256=D7D7940AD0DA02BEF0D24904A6DFC83BA88E2EBB8BF84CCBA0788EEF565F052A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:35.890{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682F11DED2AABBB732CE132BAAEED5C1,SHA256=2A61720D0A2F5034BA315474B726F4B976261A1A371CD5380D2DF933E597E849,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.808{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64307-false10.0.1.12-8089- 23542300x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:35.056{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51097A4C57C4C2984A7ACF26DE37A57E,SHA256=81D167B28215640DD5FEA7756A29526743F5AF4C405C4A842BF9D1C605B79D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:36.906{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C29F1199CC55D23D774B2361186544,SHA256=0F4F6360152454AB244B9D21EA59087BB41FC0A526A12E8C38E8610B937F7F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:35.001{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:34.560{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64308-false10.0.1.12-8000- 23542300x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:36.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EA79F40F07E709733FE92F5D877DE0,SHA256=CE20260070948CD6CDE368AC5FBB3EE25CB7662BEB4507B972CF53D148A7F893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:37.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE65008EB476576E818CC3EB455FE30,SHA256=DBBA4D6BA56234B11C43E2C5371D180684BEFA467761575D0D6FBAE58EA76110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:37.104{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC6BF054CE3029F9A05D4430BD3B24,SHA256=10539C331503E795CC4AD37CC754AF77F868E52B00ABFB7A094BE12F6D95D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:38.924{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FCFD69AACB1AC6D487BEB1C55EC0CA,SHA256=5782F910EAABF9DF6D017B631C0195E0EE4FEA476016D861F7D8012DBB16ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:38.138{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59938F2A2DB7CA37B882283363A26013,SHA256=7D444F71AAD61F11CCDA4061075B37F0A94D533CA6C8F56BE08EA271FBBC1245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:39.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE00A6D01A79A02A48C2AB3FFDA15484,SHA256=554D878EE875D6BE5A89D3FEC5DDA48EE95C3C13BF3136166085AA0E393E2A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:39.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748331D5B16BA4E9B0ACE0E90D8929E0,SHA256=8E57C1AAD3F46D2646338E83157BF9BD28A05BB589AE75A831EECC87EBD31993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:40.939{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9F9731886AE46BFCBC08A7250177BC,SHA256=DB52E4EBFDB3C62FE1AA38E5127F0276CE19EE8ADC7F7521B993890707182918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:40.205{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824E3F7EFB26A22FB9473AE1B65CA46D,SHA256=701CD3106C47A2567C57EA74009FAD22AD03C061CD39C5C0F58188422AF85CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:41.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B281AB8F3965FB9376D2CE0583770473,SHA256=30F949EFE3D98B103DC24450650F1DAD342415C3FA28098D12E8764D95962A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:41.209{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D09FF6F20CADBE8B4B01691A1AA818,SHA256=97F968264A98DA6FF99624537ADBACD88788A4208141A6F02932276284F861E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:42.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC68922887123FADBAE8FDA8B9398127,SHA256=0B9C6FE1584AD75401720B02979CB3C6FE75BDC33ED91D4B8801F8B83C2A8ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:42.239{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D84B3BC797C73876142AE258806D2,SHA256=4107B16AE2A29D16BE06DEACC90943CA7FEA1C72F1E0DAEB683C93594F032DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:43.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B608FE37974BEA3DA3E0DB54C7FD03,SHA256=878A91316839B3DFE6CC209551BD841FFECA030F1A2C72B49C2DC124FB63AD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:40.971{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:40.475{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64309-false10.0.1.12-8000- 23542300x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:43.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8C833A570735D2FCF3175A7D6CE10E,SHA256=373767494869EF3467A932B215144D2990B43AF2BA875F6D84F18B13F672F651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:44.970{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA294D39F4F55152529B13C0250AA910,SHA256=8E8ECE791E0AE4A0FE990EC84C89CA309807B9FF5DFCB2E15C4100454D3077BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:44.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF996159F5D24D7E2627477B38DA15D,SHA256=524FB3B218C5CA0EA8425009EBD8054D97FCC7B1398C57F047B35BA89213CF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:45.986{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4D5B5D4ED81E1AD6DFA38655D4FC83,SHA256=FD6289AC94F8CE78071172E9547FDA7327B87D3097711DD3BFC7FAF82DC3DF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:45.303{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794CBEA3CE64AC7C15E7643459B0FC0C,SHA256=72ED0B740DEB9D8114E8F24844E4079EC282B8588508A6D14983B972425FC280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:46.321{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D5077CA6C80228782EECA1BDFE4FCF,SHA256=77A9DED7F458ED3C82682D30E3D442843CDD69C91C33A8942388CA593582FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:47.001{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2851B1A9E530EEA1144039C974FFA7AA,SHA256=2B24626377CC8E8330C124EBE221665ECE0258C1726335C00D904BCB91ABA545,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:45.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64310-false10.0.1.12-8000- 23542300x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:47.336{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F544CBEF9D4997EBA0563A4E632E9C,SHA256=A9CA83F24A434F640630B7E765923F7B5F906A212583FF75FCAE8EAD778BEE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:48.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FD55CB76EB143E1AD50DBD7FBDC6AB,SHA256=7F1B390D0805ADB98F56B38940DA394759A251CE8064901107A94C856D684E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:48.017{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A432358BBD5BF3111748241FCA9968E,SHA256=7E98BB8EC43C94C6C6715249F15FA1F5A25DF729F63FB65E1CEFE4ABEB4869E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:49.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA22F5149364AD68FA016D166FD3200,SHA256=EEDB99ED765C8AD6F231C5DEC0576C5D6BDC9718B11CAB771BF9FB8C3D7E95E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:46.956{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:49.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFD041BD056B8714DFE7188A984EE8,SHA256=2406C04D800CD93D8CFF82EC90A4D4EF96E8A405D7C863485854578D36E3C1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:50.381{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:50.047{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C02B96D8DE0F19DF364E1D57164AC7,SHA256=792C868760D56C349CD37B42306E91107EBD3DF8EB9F0621BEA74FB00C24BC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:51.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345CA6C277CB099519B00011C93CC066,SHA256=BF6824CEAC40C52C2659C1EEC1C592F5F249E15D4B6586E69E57C3E1A40D044B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:51.063{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC2A8D4FFD470B63B25F8117129E6FE,SHA256=1ACBBEF7DB5E5B442E159598FCACFFAEB65A56903489FF36F349856C4CF5FD9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:50.685{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64311-false10.0.1.12-8000- 23542300x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:52.418{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073DF7E6A52D9278FD40B5F2B9B894C3,SHA256=9007B044C63878A868599F8D8E050F9375048AD5AAB146F4378994809489AA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:52.079{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF47B4B9A3EE453CFD6676BDEE2578,SHA256=839FF7449C489B87399A6AC7F3EE531FA1B967479C5114B0A3BE5FBDF9296019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:53.464{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C61FDBDF71BDDE8B369C3A9D3107BFE,SHA256=8D71E7C400CCAC51A27A5AA5333F6DA1D63A1EAD585386FD482F9644D7D07AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:53.094{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576A134A609E0560C62BAC2A9168DEA8,SHA256=28679124B971115D1C76BBF1B75C6E836B42D85A87AFBA7A6C1B71938C74B189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:54.467{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB82856178C5482B4A81F68246F332B8,SHA256=89C885E15E33F727BD6A6CC56CC5EB11BD5E06CC33AAAA20391F81728C599E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:52.908{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:54.141{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4AF8E11576275A7B6EC33E6D034072,SHA256=F707832065B0327738DFC360F7E423FCF08F3601513E581EA4B3A92C2DFFC6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:55.157{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE1A1D45660525851BA8EA6B598E273,SHA256=7642718AB2F7AB54A46DF6FFF304B1467DA0CF1B78B2FBD3A0A9CF362B8C328F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.935{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BA65D96E23BCAC2777C5EDDF20D404,SHA256=4ACB071BE0D15A40442CED98016B76D4E16C48E5A7C5BBC8350377B65E100A98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.435{82A15F94-586B-6112-0808-00000000E501}60684908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.267{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.536{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.502{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EABC8BA45017013EBB4224DBAE661,SHA256=0E3B9649404FD875D4FACB94B674F50D80FA5D6CDEA5CC6F80E90C926F4AEED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:56.172{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4479539503D71A9F73F5F9E1F658B1DA,SHA256=647DF9E77904809A81C433AB59CECD4BB0EDFED2ADA073FD539D8C15CBC3166D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA372EC77D22896915B2742728CA1308,SHA256=422E9BF9216F9993A388AF6B1691AFB05BFABB2B1D6863979FB82FA35F7ED895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2795432B32D1A4476004C8B702F3AC,SHA256=8C4B6F8598806E0E4E7559EB290B8A86B7A832066194CF7A4AC8F5D2FD54E215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA372EC77D22896915B2742728CA1308,SHA256=422E9BF9216F9993A388AF6B1691AFB05BFABB2B1D6863979FB82FA35F7ED895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.534{82A15F94-586D-6112-0B08-00000000E501}63641996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.518{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C37F7385AD93BDB994796DFCDB2D19E,SHA256=D7682E5CD82D333B0448498E0F06B997B782B1BFA8EE4DE1D102E71B04E2DD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:57.204{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB34BAC66A830D16FACA160DC7BDABE3,SHA256=6D60CE52BB28FC622BD65B10FBCF044318EAAE0019F59854132D699C4F4DA800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.500{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64312-false10.0.1.12-8000- 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.900{82A15F94-586E-6112-0D08-00000000E501}51884112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.665{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.533{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:58.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D7E6D1531DEEF29F8D4E800B790793,SHA256=58FCA03ADBA8114D703713A77A089A998FBC33EF70BD52C48E1BCA055F7A30EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.149{82A15F94-586D-6112-0C08-00000000E501}58883516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.001{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.999{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.999{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.997{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEA1775E4D0D8D4152434E43EC66A32,SHA256=101967A8B7AF490CEC963D8E4C493F5FD398B69CFA7FB25473C57794A07FDB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:58.017{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:59.266{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B64380ACABB570D249B0EC4330D2ED0,SHA256=AA93AAF99A4BA9EF0CD0334C281B5715B3754F93552C62656E4D94043E62F75D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.340{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C821D79A860567D88EBC63C652DBAC,SHA256=743DB41FA47BC88DC04F943CE67D4AD3A699B27B23BC12E7B0F034A3082D3CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:00.569{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCFD8DC637F095BFBA910F112BE095C,SHA256=5022C556D93147A415E1AC3DBB0A1B7A20F391F77E76583D2C2D408AA175FD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:00.297{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D59D166A2DBABB6C8FFD6C8D75AFC2,SHA256=CB1178FAF8CFD629E2DEAF2A86D21198C445E05B39325B56413E1149EDC347BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:00.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458A405F09FFB83F50B8EE63A9ED544C,SHA256=BA33B25F1B0A8EBC3D5CFAFAC28EEEB7E131E4A20AC73C8F8627B686197EB47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:01.584{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AB5F37EE423CC71681EFB7E9C47096,SHA256=990C7FC65D7260147B5F2D252D1019B33395604CEC4623E4761278CA89A9D59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:01.313{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB38A371BCF952EAB165947BC797AE5,SHA256=16AF16AF4C1733BB082C42ADBF047E139412E83FE8B0C936685E9E09E640BFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:02.603{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC198F5D0F00705B1A1F1E89C98FF17,SHA256=C5E3488C183271F563AE2F87BDD0602C54E1B253D6C5B930F5101F44BDEA5538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:02.360{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D1CBEA3BADFF30EFE91CA0AFA4EA5C,SHA256=83EEA48BFDA6DFFC4376E8CC31226011C07AC0D88AF76588CA0E99CDF32D0732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:02.053{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EFDBC106D97A5A5BF8E9B821444C644A,SHA256=F6479315D1D78936D2465407BE490EB9037685B5D3C3B4C95126FD9B88AD04A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:03.636{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796D428789661DC27873936552B45556,SHA256=99939175DBAFE36D6911C5D83DC18BDA3F3002F61AB0AFB216DE7381B45764F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.782{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.360{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEE148D4218C2C0C0C6CDE5FEFA109,SHA256=6FC09338088C9AB4FC1F3E94DB1D90D1706FD76649F329573437293EE2633616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:04.666{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C3EE909A1D857ADBA04DA41BE5030,SHA256=1D23D16A63C97FA9F23F94ADD4B3729116AF84C51116C15BBB5135C8731F7415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:04.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7AD1129FFB21054A1AF064281545E5,SHA256=923391DD3DEFE031D2B6EAD967E0A9D5E783DDC1644F00788D12AABDE80CA6F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:01.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64313-false10.0.1.12-8000- 23542300x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:05.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A374247BA252EFA8AAA56322B233F1D8,SHA256=BFE09B139191F99BAA18B129C6E01A4EE24618075927E746DEE631EDE91B9FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.892{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.550{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:05.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C0C3A3E095858F3C89A565A82D5D56,SHA256=5663CE608773637BC4F376C8D91B5EA996728AB5F2BCB1211CA728C9F8F4A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:06.698{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF8714C6485DA603CDBABB4F47C8408,SHA256=C61F2FB25143C4111130583744BC4BA305CDF16C616A1A64536EAFFEA85E9C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:06.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B78E9B14862F16241C98B0A8BA44C66,SHA256=6A889DC8F0798C5492C0A7CF749594D294499D0B5F1ED1D535203CFA79865B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:07.732{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7676A3B51D4D188C7B999D1EEBBA7,SHA256=BE8D7273920C8D61C5E7B478D8F1FB58FDB92D68FCA67E2E8DA761563E9E5ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:07.469{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87D9A705C68B9C3C890BD8A04933378,SHA256=277D6DF07AF96FD6D448D8F7DBD1F51139C0A389995FAEBD803676FBB73D2589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:08.748{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCD8F01ABCC14751664C525B60BE1E6,SHA256=78501AA21F51E4FA27EE43391EDF0E7E1E3F996FEE262ABC95CD7E607D55B7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:08.490{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEE3B4062787EF09441A2558741ACF7,SHA256=3A9CA2FFF62C028078AF3E1E95698625C5652F71137F77875477FEB9043770D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:09.762{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359F8939F2BFCE3D813319A913F3697B,SHA256=0D0D2BA2A7188C8986E63706CD34B2877ABA4ECB91B2E631D016898ACBB61E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:09.521{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E57B1A8D56609A2558A779BB9B8E7B,SHA256=1B135BB0E9E1CFA1CE2E3BAB2FE61E67D8A9F09DA0B2046AB633C273407E6147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:10.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CABA7E63C5031ED3A66E87DD6408675,SHA256=2A5829F6E36A808045C44B7556E3EEF1180E1E83A7F459BE7EEF7AC4586F268F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:10.552{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A4FA4DA105696DB5AE067B5A0EB001,SHA256=81B61D5C98AE8489F738924BFEEF9D414E936AF9C0E1FA7DDA8B02BF34311BB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:06.668{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64314-false10.0.1.12-8000- 23542300x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:11.794{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C81F1DA9D8AA74BB32198BBB147DD31,SHA256=B0178F8BDDA64BB433C6DF00BB771388DCBABC80C170ED94CE3208DE95C0EADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:11.568{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6CD536E6800F33DB07F9FDD1A87CE2,SHA256=D7E8520CB181535C311F5F7EEBF9DBC9632275AD63BE9359845F3695E544B066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.897{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E10EE8F8D84339E7248CA6810157D0,SHA256=56F423196E3E54F9F105AD84D890422613450B3934AA93FAB6E77A0F19AFBD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E7D44C45D556AE346F519CFD27302A,SHA256=035DCDD39A4CE06D57E2CE48CBC40B1CC2178ED9ABF591DA6C37F78D27F89BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0FE45374E059161E36F99B77A5917,SHA256=56AF5F5761B86DF1209E42345FD5AF8896D48B0E9562AF648D86FDFDF2210450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:12.599{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F26F5470F6C0B9BFB5DCB4B32FC372,SHA256=C264071CF71A51C58CCC4F8D71AB916C8B90379043BAEAB9F2D2EE3ED9C19E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:09.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:13.832{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353D3C199606E8AF78C3FB72776877CA,SHA256=E500890F5B60EC1F479F633F48A02A7BAD6B8EC3DD6C8A0C1A47A3ED20D7A280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.880{82855F7C-587D-6112-8006-00000000E601}31121228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.678{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.646{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454417825725808D95A4D3D9151E6CBD,SHA256=A31041F19EF8E4070E1773204A3F03AF78CCF6918A0E01C9661AC771106E3145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:14.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B306D21CC27A49BE494E2AA43D933D,SHA256=11011C0EDF16083BCA29594E8DE56A00160FA5ABD7D3EE4AC81A55534A7E5BFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.850{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.771{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=07AA2FC21E4BA964FCC4DD414C515691,SHA256=E780EC9F5039499A7E7097C3447042247E6A945D1FBEC9289E547649FEDCB005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.178{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D99E73B8E4EB934640DE7531F942978,SHA256=0F970DE60876483CBB1F90B0CE44F34DDA01063DDE64A77528F17B101B9F940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.803{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7573289430EE676BE3669F0C0B7F1B4A,SHA256=B1D3E1428779AFBDD199F6F14B7F03D17DB201022716F0CD259B749B014C7F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:15.895{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E63DACA21BCE86FF11B856BBB6E34,SHA256=5706C173525D7249450776C3865DB6AC8DA798E03A9D6BF14E1FF3081703F073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.612{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64315-false10.0.1.12-8000- 23542300x800000000000000032293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D99E73B8E4EB934640DE7531F942978,SHA256=0F970DE60876483CBB1F90B0CE44F34DDA01063DDE64A77528F17B101B9F940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1EFE2224BA99960A2E9C8763A7D642,SHA256=741835F54ECF53ECBCB8B67D272A59B644EF03A9C269737BE3246C1537BC85DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1B43F4E61A626CFC150F26ABF78B9,SHA256=C80FED27D06B8B978ACFA2978ED77B3B5B56FFED8AEA1735D881C22A5F2C1EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAB22B22290434C84B200993EBA5E1,SHA256=E2834417FF53A7A394F5C029272F2461407E68B269736F0304F3471F36966B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.913{82855F7C-5880-6112-8406-00000000E601}40683204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.272{82855F7C-5880-6112-8306-00000000E601}13082432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.039{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.277{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.277{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=A34F479555CDB28633CB3CD7C56F279A,SHA256=AF2F6EFA43BAE08F570C3819DF94D1B6BC9DEACBC63DE0C9310139C0D09DE5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:17.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A15E3278D1F0BB8B5EB22CC8760C25,SHA256=20472C50A05DB2EC4E21DFFD69BF9A7FB30BDDF68DB42D20AA1550B45AE8C599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.960{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A4BE01E40B5B70D1930BC812C41BB4,SHA256=4EB8385660019620B18C9A793FDA28143387E9A33424A2B57F2D72F807709E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.397{82855F7C-5881-6112-8506-00000000E601}6242812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD67AE3FD39AACADF85F059B5751970,SHA256=6D08C60F38F33676DBE3BAA295EBE9EC16E062017CFA155696FB0F0DC8395B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F76394C6EDE030F5EB6B850D04E848,SHA256=31A496348EC91AEB253C6E289D825D8A726E99F54A9AA9946C033AC1CA2671AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.975{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.211{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.975{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B005F0C9B514A0366D16CA8AEB5DAF,SHA256=78F11B9A6BC9CB0CBB80F08D37876E2384E80A33916CBC3A6166C3F7E46E57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.528{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.497{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.497{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:44:18.494{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.57.200400712C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:44:18.494{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.57.200400712C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:18.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6DD4F0D6FE063F8CDD0B8370EF51085,SHA256=F71EEAE5ED000162929B8FD87F18AB1C54CED476DEF39F0BF5E25B8D3D5C1DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:19.178{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6161FBA2606C0806185805B40D7960F,SHA256=8C4A594410B748499F9852F462357F72EB80B4E56C7F10C4FA10DB532A0350D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:20.225{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460EB4B9C7FCE83A7CB22ED0D4D92E87,SHA256=6782F33FFC89E9EA5B46710FC9A792EC20F030F6D1733339357ACA438A82909F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:17.695{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64316-false10.0.1.12-8000- 23542300x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:20.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AF6D6FFC605F1724692305842BE1AA,SHA256=9DB19D30C5CF8EC7258F414017BA6367765DD9854DC2C6D268E203E5D691EF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:21.257{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E5E934D13492942BF3F43205E4AFCE,SHA256=9481CF3CC8265E3E2EED0DA522F79380ADEBF6A24EDEF2A7258635BAD08E45B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:21.027{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC0E3C1DDF05FF1937FD9F1CFD07B36,SHA256=1B1041FD6035D413FE501216EEF7FFAD98F7378535D71D090BF6E46B7EEC843A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:20.960{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:22.303{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2365E43EEC002D0D626131ED000A6,SHA256=626380376E2AF4EEAC7C147BAA91611694B9D15561C4C4C65AC843DE01CC85D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:22.029{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2FCE99E313FA785E1C7A7FF5A9C32,SHA256=03EA5D2AFFD956DF8DB2B66C4A0D4AC2B751F8F5B689EECFC69742912DF86EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:23.319{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C93DCAA880AE89E5BC4EDA22B36BF1,SHA256=0B6EF13945644967DFDF5DA7667FF0101CE99BF9FFD327DB1826716C183164A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:23.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4915E8C911052A03794D448D91533E,SHA256=7A2BEAEB454ECD1F6ABCCA44D71DF907D60FE6507163ABFB77B8AC91549532DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:24.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DD4467E2A3597B80984CB869922430,SHA256=3584D7F95463DA417BCCBCCF665C936F7E45C9090D12C0304BCF89A2DCD3BDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:24.110{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA18C4802E322A9B118EF8173C9B7FF6,SHA256=F10163FFBB280B2A443D3C78010650A526CD5B6F9732086A10F0128BBA4769D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:25.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3975F8C7B0FE9EB444AD904A2A7DA17,SHA256=AAB988874CF1BC48100CF59C1EB8C68F24C23CEB063C0405DF99F88D03370310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:25.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C3DAEE484E19458BC49D5A777DD74A,SHA256=B14BA0121D5EDD5E51EBB695124CC0B6A35850C6C3D5A205152B15437ECD43AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:26.413{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB8288343C50E3A25F3FBA0E6B41F5D,SHA256=EB3F606B4F59EB712D81DE4F7866DEA63931A3A35188B192E60DDD684F361226,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:23.676{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64317-false10.0.1.12-8000- 23542300x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:26.171{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD719A05BF72332CCCB49953613BC5AA,SHA256=3B9AB6E5F031B3218C2B3B15FBE2A61B5E1DD57339396C6CF2DC8DCBCAD78659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:27.428{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B08B65D80E6CBF0E3B13DD08AD9024,SHA256=4EC06BB858E3EA01403DD549BDE0E1A67E9C568FAFE95500A14775B9D0BF9D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:27.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7005D952BEBB6AFC7AB92FF4CC793551,SHA256=337AC9BCB4EF0C197A64C425CCBB4D3DF640F673B0C529600CF55FC51A648D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:26.929{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:28.457{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1552C5C4EC104549E98F54FB67F7AD82,SHA256=99E0DF83EAAB9D9E400ED11810DC06AD7920AF35FFFC053387EC38F0A08287A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:28.838{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3B2BE0ECEFE28D442C76C90E4D35EABF,SHA256=70ABB0EEB2BDB6A1DFFADF73E29963E79720CE0A9F561CD36FB6DC4E1A583051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:28.208{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7EAA07CB7FEC6C3C51A816F6B7652,SHA256=D1B40387698EBED3306F12832419552B1D5C900F7E6E1907E4B928CC10B60974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:29.504{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3888094715F418BDE3E768F13D5717AD,SHA256=D556A9577D4ED266D7FC80E85527FE04516CDC42A86C14AC4530E5D0BAB8764C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c9f63) 13241300x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x506ced59) 13241300x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xb2315559) 13241300x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x13f5bd59) 13241300x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c9f63) 13241300x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x506ced59) 13241300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xb2315559) 13241300x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x13f5bd59) 23542300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:29.288{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B0D1F75C5BB3159B3CD573230333ED,SHA256=CC5EA5F87C40E0029397BEB7A1347F3EE7FA7F0AB61B6F0739C869F842EB6B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:30.520{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3367982B736045BD6F25603FCE838,SHA256=452DF135904895E9F25A5A70DE8A1BFB4FF82968B6DECFE7CB2321A9AD6897D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:30.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:30.309{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0878EB8DDFC79AAD9DDF5C0956FD7C85,SHA256=409E08D80B396D71935E482D72C7F974F600F7D8D2AB6C343949E2152118C9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:31.536{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB464949EC72DC999824847063967E2,SHA256=9D8A9B5F9582682F12CC8AB548F596C75D91DD2D0C0B3F23BDD8718041B22DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.325{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6314FE9AF98134A86795200565F6D72,SHA256=2672E22D5C4E5216948BB1A40733A19EFE836800B3380F8C05C49F43DCE37217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:32.551{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46463528A031A8A7BF1113ABF38DAF93,SHA256=BD2340E3DF93D4AB0A3631DF7E0D0499401D9F3EFB3DBEBBE1AA7A1A4DAD34CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C037BB463AAAE1FBC89D2DDBB621919,SHA256=7C7DD2787B1070994D3787A79D6A6D7200A8946BA8B3E029332EDD3EDF49265F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E10EE8F8D84339E7248CA6810157D0,SHA256=56F423196E3E54F9F105AD84D890422613450B3934AA93FAB6E77A0F19AFBD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:29.607{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64318-false10.0.1.12-8000- 23542300x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.355{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00BF1B312B9E852AB117E21D7F98AFC,SHA256=7B339FCC026B9142CE677145BF48BB9443B731D197B141FC1BEC13EE118C508B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:33.567{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ED0D8037274BC4B6FFEB053A707AC0,SHA256=678A70B45F2ADB1BED210A2A55D971B3F67B621799F7714872707D80703C955E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.307{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64319-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.307{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64319-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:33.408{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:33.370{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9D820771A97A58F635C68C05F6057,SHA256=F57CFC1B86B530F86E31BAE1398DBCD8FDD643632257848C4E4D5972D337978D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:32.895{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:34.582{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEF020445C5456A29EFC3A11C8363CC,SHA256=80B0F0D85494975EE481719ECCFF43C5C39FABCF28A44EEDC3F5E3C3E8600F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:34.438{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5570E7D537D7049E59565BDFCEFA785,SHA256=9B05FC829EAE324FD3880974954279139D43562A41518C008A3B3C0CC032EDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:35.598{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97FDF99BA4F31F68944590C1D8D5613,SHA256=75C1019FD7376BA85B42F2DD591B457A6405A12AA0F107F8F579BB5ED152BC2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.824{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64320-false10.0.1.12-8089- 23542300x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:35.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE510B1256465A4D7FB3FBBC698E25B,SHA256=5B180B88A8C54FD9E331AE65D02D4C1D12677B1F982DC5759227448F16237DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:36.473{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B352C8100F7276267DAC82F841CE3A08,SHA256=A5BA22EFE364039946BCA49D59D31F35060EF274DD31E0CC8C0E6D33AE980799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:36.614{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90B266168B5F392B4B9B3B5DDEAECBE,SHA256=E3DDF9384DD3FEEDF41A680A1C0F8FB5D4D0BA031E94E739C22A9B153460C0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:37.629{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14615E0A4767497F36BE4A1AC43384C4,SHA256=5517649E9F9A576CD40732B7287754F5AD73B0FAD9C0F9148970BA9C97548EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:37.525{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA6920BCC308FFFB3F591CEC693E586,SHA256=1DFABF0CFFF5448AA1CCD214668F6D8F44571E9DBA1438CE9A708015A5492BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:38.692{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1BAFFBE6C39B3AC1E6CA1E3426DBCD,SHA256=48A24C490375D6FEA7472840A002FFCF38B38A8D426ED413662529F72D5D9B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:35.504{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64321-false10.0.1.12-8000- 23542300x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:38.572{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E072E6FF87082AE42DAB628637574B8A,SHA256=01E71B51B40BF78C7D88BEAC60B2E4E63FE7DD1695E51638CC262508AA764251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:39.723{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AD1F3C2B6AE21558DF69967D35FB00,SHA256=E7B907C9289D8EC0AB79C200DE7081F68A9596F5FF4CE61CA7096FBEFF6E7829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:39.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA25E75D343DA90A3C600EBB2BBB4E91,SHA256=5905D020C0A97B87BBD4DD869A0D80677419782C0ACCF86C075A75D831473143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:40.741{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C41E14316EB3890DE47577BC99739A,SHA256=33CDFB045368C1A90D4DD8AF144FF67908941EC7573DA8FE441215ABD7EC911C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:40.608{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD191A8FD986A320DE389AA4EA598F5,SHA256=BFFA64B49D0F8D3C44F89BBC20AD86FAB8B3D9D905604D84CA111B59B4FFC285,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:37.926{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:41.654{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894B368F1A54EB62F0936351D4C3CD78,SHA256=DE227DBE18AF5EB0FD7D466455A2C96E809EA03792FDB02089F542FA618CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:41.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9E793B3FBB388D4845559ED8AE3AE,SHA256=2078CA69FD9D5E4814874C09C34619F68EA779926E23C6F304BC2028601F35EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:40.624{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64322-false10.0.1.12-8000- 23542300x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:42.669{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D567564E8D30F116A54C6375C447CF6C,SHA256=96D56D40F08251FFC908AEB1D21798358844619AB9B2ACED6FD609EB32D793A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:42.759{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF5AD0D39277BC076E513631D08103E,SHA256=DF2C70B8EFD61733E8537856DFE47E07C01A4DC8C52B0F9317088FE09033135E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:43.790{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF423EFF5D5EAD243A9DB329205F088B,SHA256=3AAF9B8A836DB4BA43F1598F56303A67FA6666B23F890DBBD701F716FE3149D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:43.706{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F1CF57E275FE4408E9061671E4F9C,SHA256=BE7703E23A737E7E18C32844BA5B509F4A99AD055605A6658110D61780163DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:44.837{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA523494B3E93FCE5181F5EBFEC5CF1,SHA256=68C8EC71D5936118F95B928DCD46DDB06F60815E92EF1414E96146AF7A577C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:42.429{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.79.73.243-60679-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:44.721{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499166DA1910B1CE61AD9A2293B1468,SHA256=71133FEAC7B9864B83ACCDC914EA9912E425D93F4B4B987F3935C406B5A5FFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:45.915{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D511DCE4E41A22406671C47FC25EA6,SHA256=A1AF9C649A17BC98C5754D7335D9E56FA429B2F7911A3587EC94855D24629771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:45.735{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74826C4AA6FC31E2DF5A4D14C83B822,SHA256=9DFBD5301A622E770BFCD48EB977D7AC1E97D4B0A8437815A0B5B7CFC48A23CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:43.837{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:46.766{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE4100CEEC036CD07033346BCDF3B28,SHA256=688C03476991B769DA7083795ADF8DAE814B309029F2FB0B4BF22DFFB5191361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.783{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5951C53327A5CA0037DD94F84CD61,SHA256=61A006ACCC8B3ADD3EC706819F6C42A7DF8A29D479E8578196ACA9F6D8F6CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:47.009{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B11782F43F977807558A54193E6030,SHA256=1D852FAE5280F6AA82252958FF3B2D48B5C755856D79EE1455134A5BF5E3178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.634{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5420CD3532D226957F20D646AB57B789,SHA256=AD1DD6F5A90DFFF4894FC57AD10FD080EDC070B49932FDDAA8BDA0B35130E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.634{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C037BB463AAAE1FBC89D2DDBB621919,SHA256=7C7DD2787B1070994D3787A79D6A6D7200A8946BA8B3E029332EDD3EDF49265F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:46.570{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64323-false10.0.1.12-8000- 23542300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:48.802{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189622CA1434FE7167133DDF5C0A701D,SHA256=16FA46EC4FB8524A5947810480375FC234485D8E4DC1E693696D75245DD8FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:48.040{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B144EE55725EF92BBE199CBFF15D11A4,SHA256=5F10339CD73B0AFF450781D5393534F9CA717B779441354DAAFB3D17E290A005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:49.833{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A3929EC173CAD3A86F7C0FED673B6,SHA256=BAF167842F811E6C336B6410F4447C0E178B80E385DEE21B9AB1C91D6F522F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:49.053{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B60B94A67822E5DEA28C0E7F7E34C23,SHA256=5CBC6E26A516C069B40EF740F95D794A2072518D64DCBBD8D31552FB7603FB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:50.848{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62347C351E2D3EB1F93A1F2F87946E,SHA256=C894CA0F26C858A852D11A6F2D98DF4F1AFE6D5D91BCEBEE2204865F32AECE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:49.038{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:50.069{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227716B1063E8C0D551C4A16BF91DB4,SHA256=ED3743DEDEDD0AE4CB0D5429AE3921DF523D4C0B6E7782E3EC674337B226C1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:50.164{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8cef68.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:51.863{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F427D0E91552DE6C7D156AEB4ED263C7,SHA256=9C5E8B6ED298894B9E02AFF5F989DA9B870E50FF8E32CC90D18CC9759F638BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:51.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D970B24D2AB7B017DFCECAE6483108E9,SHA256=75803D6ACD4FC0B3FDE6EDAE286CEBFAB7D3786CE478915E50487C3DA03A9F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:52.875{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E98DEB13C832DE3443CD858DB6553A8,SHA256=125B5477CD908BB59B8B2C287B38837597A872F02E94B30D7D95EC071D5BAFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:52.131{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22999C5CA030FC9B89533F77DAB8EB86,SHA256=8A1126AA1E01957C3582B29C3872BF6FD66BB25F0D2719D86480ED6A3F4E90F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:53.899{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A446935E02D1D77B0BA422E0EA5F6C5E,SHA256=A7F191FAB65A3E42307504FA546A423FBEB50B0E08F9D9A6A72D8E5D197BD627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:53.147{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84999591CE266B7FBC19DFFF3C3563,SHA256=FF64634D410AC0970DAF68DC866173A9D620FD9A91EECD94B7FAD49408E95F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:54.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268DADA094F16EBF283DE40A02C6F7C0,SHA256=3F109F6F7F2FDAC9ED5AB7702702FE47394413D9826BE70B583C8D2D8176DDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:54.178{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B4E2598DD209AAA06C0DEA835785E0,SHA256=1EE9CA18AF3C4CE62C692E114AC4154422DE53078B254578B33023A9575D1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC073B8A109CE322D4921C887D9F60D,SHA256=D1773DA3581990BE317A8131FC8D4F587091D11FB58B02D2B85878EC7BB7D2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:55.241{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A65A38838A1E0FFE2F18CBE5D58A6E7,SHA256=571C46E8BA8969D022616B98885821C896BC66E024B3904383A2C8786309871F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.183{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.180{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.180{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.179{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:52.613{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64324-false10.0.1.12-8000- 23542300x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBCC499BBA496ADF24C88913778D59F,SHA256=854186BB0E55A40EC64103217BCAB2674EB1C18597F90F9AEE34263B8154FBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:54.944{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:56.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7918366498FA19DD0299279580419BF,SHA256=92D17C17A4C61609E1D185329A300E72A3AC907BDE013E8E10F750E03AE2ECC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.515{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8141A987B09D66790B1F528AEDB2356A,SHA256=3B885CF772C076FC1F9E623E756FE784D0F00706D26107DC27E779741517AD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5420CD3532D226957F20D646AB57B789,SHA256=AD1DD6F5A90DFFF4894FC57AD10FD080EDC070B49932FDDAA8BDA0B35130E3E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.999{82A15F94-58A7-6112-1008-00000000E501}5966880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.962{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183C56D067D29BFACE15B7331AC61CC6,SHA256=F5DF2639369C788D1A5264EC80C78FF7C6898EA9B1A081C0CEAF3756B04581CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:57.381{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986B94B44C2076F2585BC07D710FAA27,SHA256=D9D941C6215D52674EB5E3F8013A1F26F90B420D2E0ECBD1C2F405B4DD08EE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.532{82A15F94-58A9-6112-1208-00000000E501}68084636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8141A987B09D66790B1F528AEDB2356A,SHA256=3B885CF772C076FC1F9E623E756FE784D0F00706D26107DC27E779741517AD3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.331{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:58.397{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F7ED09043832FBBCE1A9D93135F950,SHA256=C1D638720AF9F4A4AECACE3284788A6DBF36D883E569D7988E58F97A7D6D6552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.661{82A15F94-58AA-6112-1408-00000000E501}23362256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.516{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.246{82A15F94-58AA-6112-1308-00000000E501}67641104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.016{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:59.412{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EF9013E55A76620D3A31EB66D7BD55,SHA256=1FB0A22C024F90FB64904E85E13BE3331976B3EB48CC2F24A9CA7B82BAB94D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.199{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.030{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4396E7D1926B50804DF509B6FAE2B5C2,SHA256=9A095CD17E033A0B9F829FFC9F6FAEDC03F5778C94F93AD99C5BE200C7BBF7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EB7F4C2491D8C4496BF79A8B47A8DB,SHA256=1148C226E08EB85EC1FAE1387992991589915373C0EB8E3744FD83CC356EF5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:00.412{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A972A0666A0074EC9035E4CAE5D06072,SHA256=65B05F489FE3BA177B34934F808E584048D5C9B8011F6489F6995EDBE9F47DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:00.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264DFDDA8F9BE2A31C267E6D6EE90762,SHA256=3D8EB195BA498B142138258F3FE8F392BD60EF8573AB6335DDC70B5FA6DDF2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:00.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C01C480EBD8E8AEFA14276843743BAE,SHA256=61F2EDD76EAAC485A968E6F8BEE15CE25489355FC777D9900D5938D1AB5E80CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:01.537{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CCAC15B4905AA2326B9FD2F27D130A,SHA256=35ED070AE5992FDDCC0597588B8E468344B6ED3B93602E4454E5DF7D96CFDC0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.565{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64325-false10.0.1.12-8000- 23542300x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:01.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5992FEAE716E2DD22326E34BBCD8,SHA256=48F23E2B37755334FDAD23A82ACBA3121D4F014EA7CB26D95FCBF4E8EF13FA6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:00.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:02.553{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187168431BD279DF363219F76B5E3CD6,SHA256=A048B2A86F731FBD3BA0CA2150ED17D01BA2AA3D4ECD18AADBB0E2AB0E6509E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:02.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D374F6472E5920F90D29B62A2ACF207,SHA256=348D384F94922537402EB110C468F290B606F79B1A60AB03AB4BAD63D0BD0EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:02.061{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=942757CFDD756C6CA2A04A20B17B4EC0,SHA256=2FA80B76EF62A49269566D69CE11420D7BEF304B37E29A85A1995F3A4ADEE69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.803{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.709{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF35BBC605D7D7BCE2BC23E70FBD219A,SHA256=5FD6EC266E41D93FFA495DD272B7E959E69B723C4AE2E68C832028091A4F2285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:03.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F581B495CCAE4121F68CC32EA29235BE,SHA256=E16E34E15AFC5ABA10D2A9290BACD497A7B48F7E55777F09BBCCBD1AE7392EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:04.709{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5111FF3ABBFEE0887E0AE491A6CB68,SHA256=5308BC9A3CDC4C596D61726C20468624F40F39DCC347E1B9BE0DC544665DA35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:04.078{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772CF8152B7056AB586E558027C6D064,SHA256=8F05318016582B396CF8699CF71689CE7034F336634117F89021F254020926BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:05.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A7007D87012A15D45C3F9CE72363CF,SHA256=0C728043397B179C9DCADDB19011109F65390D5B5ED0162956A367F3B110C809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.097{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B4B786FBAC47343401CD8C2EFB86E0,SHA256=5D395FFFD2C6A83CD1AB9F0D00C069757D4D6C6AAD78C9A76B4E6C3F6DA9BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:06.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38C04F63C4B5209A1BE12B3DD4321E,SHA256=432C374B3665973127B18C4A9BA4A126392E404502DBC648D053001CD79ED5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:06.612{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD9B8A0AA2903C4B9097F01EBB23A78,SHA256=AD45561AAA956F59B4EEFE878BAECFDA5EDD5A92129C023ECB3FF32733CF6B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:03.580{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64326-false10.0.1.12-8000- 354300x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.569{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:07.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68323D004EB9B8BA59A9EBD1FA3388BD,SHA256=6579F0A27FA916C749F7A3E194AF19D305F7C7ED0743A425DF8F203C6BCCDE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:07.259{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4E459B13F814F0EAE8E8F24223BF3,SHA256=214CFD0385D71D4F08862EE8D64025FA35FF315902492677BFFFA76552E62258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:08.990{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2596F003DC85A24882064BA73DC23B3D,SHA256=F23D669F317E7C3B5C0BB36F2638582DF34ED92995A40293BD4821C14E0C3E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:08.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03053AF4CA5302E52C4FD46D54C60131,SHA256=0ED9D291E8CE72546EA7B2245E3FF7676B388359FD698956CD3A321E1851C952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:06.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:09.327{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94915BAEDFE0315C60EA4D61670ADB6D,SHA256=8E3F8871D0FD4330DA86AB3285C4A084F158C34E7D942A1ABC8B6064C46CC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:10.357{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888170655EC3707CDC53D97146A613CC,SHA256=0CA8DDB93616DCC5826D15657ED2E86A9519206661FC5BC900767BA25BEADB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:10.006{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C1365047FA911A9A4CC2DF43858E7,SHA256=8B8CE3D16516C8192F25DEDA5332F542BE4B863A92BD958424D70E1909BF9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:11.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A487554CB4163B2D9EFF2698E341D,SHA256=5EC0EA57E3E7E55C11BE3FAF0240663B707E15873A17F1EF8CF4A1E43989809B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:11.069{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8C2B444421309B7E3603B930C1D2C,SHA256=5D18383B8FEF40B444C51F8E76A2B9B95DAF4C9F06DD843740A495022032C561,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:09.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64327-false10.0.1.12-8000- 23542300x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:12.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E7ECF97863FC21A266759C4E49211,SHA256=4CEBFEBD09F069DD8F188B552550918719514727A13CEBDEF19F598A78B80FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:12.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9295B469A440CDE90826FDB4EB5AC932,SHA256=3303671014AA5DF71338D888127CEDB144AC97186E89D6495AAF4606ACB8073E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:13.440{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85FCFDEA96D2373621AA81280B14CF,SHA256=6AD87EEDCBFFA607FC5CFFE59E1389440972F1E3ECD1AC3C0A13E9AAB22D97D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.679{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.115{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B40AD790455516E487A1579CFC82E48,SHA256=CA992EE0FEB1F907E6D2CBD3B5BF0637BEC45F5C9170731DE27404E172FCC418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:14.455{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FFF8D9BBA3622E01748577BEDAEFB5,SHA256=B75ABA1C3D5A0D26F0D6989A1242D9A53979FE802740A93E07E2FA414A280FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CC236C5312534C1036DEDFE82D0FF1,SHA256=1E20D59C468CF81C4CE661F8D12DD08CC5E7023BB1BFB3B59791FDBE36D4118C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF554E22A50910FF0C89AB90275A4336,SHA256=52A7FA2E02F354E765633CC0E1E282E4D7F6E22F58C876F0EF160358C038FB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.772{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7955C309EF029213362E27B5D5B16599,SHA256=33FB2D5AC5DF83E4303A5B5C5A903551FB54A853F6B26C7F173C2369C5281900,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:12.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.351{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.131{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38B8F51BA616B9EE59A9B638D4CCD8,SHA256=34D9A397CBF1F675D3D65A213F254322EB405D0E85F93D7AEBC89268A0A0414E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:15.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1A44E15CC3DE23CD9D5FFD57D8E52,SHA256=43C3BB2B5501E9B4E2357FCC7C8DF11233596365B6487EFC22F40FD8E63CF54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.209{82855F7C-58BB-6112-8906-00000000E601}15922524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.194{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D6B2EE7FAA89BDF002340CB67A9DE9,SHA256=E4CFAFD2AF4EA0E1D939BA787852A9C7778F0DAC9F4E9F35BBA6C4F680451D21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.491{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7FC393F7AD09D41C68DE9673B995EB,SHA256=415B60973A050F364E5362493906AF02B8FC4FD977185A5697DD7B8F2BB786D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.897{82855F7C-58BC-6112-8B06-00000000E601}38043036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.241{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7483F0368E84992FBCA75B99242FFB5A,SHA256=2BCB6C3B98E91847C3DAB31617B221F951829911DD435C2EF68C00A7E6860448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.225{82855F7C-58BC-6112-8A06-00000000E601}28723232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.054{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CC236C5312534C1036DEDFE82D0FF1,SHA256=1E20D59C468CF81C4CE661F8D12DD08CC5E7023BB1BFB3B59791FDBE36D4118C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935FD03973E69C6FB44B992532CF8BA1,SHA256=750BDD0CE756EBEE74D7763FC74D98CD7264404EC8F309BE3F628C3F3D64C5C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.272{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15545F7AF6E897BE8A3485F4E8F173F8,SHA256=E162A14DE3C45BF24968CF223183EBACEEDD07CAB906F786D06CACE4B4EC7D9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:15.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64328-false10.0.1.12-8000- 23542300x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.207{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.138{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.122{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:45:17.122{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.19.95806897C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:45:17.122{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.19.95806897C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.084{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AF3FD4A09733D42B01AA49A7452D15,SHA256=59404517167956FAB84613D46CE5C5C9288D33804225879791924CCCA7988D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.631{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E29C9E0B38077A41109B5ACBA0D333C7,SHA256=3E7F27C988EF2CFBDBB5B5C0E09DD2A6E5C81348324C2B765245578F16131DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.631{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE87E98586C0E86EE1BA0D249DDC1B3,SHA256=4C5FBD907C989847148ED4B2D401C7FBA959B1F286FFF452A873EA62CCE8A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.537{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97EB6A847B9F0886719448DB45324E0,SHA256=9747C8272871BD24FB454EA2ACE8ED1987328449CFF5849A8D202CE049461D8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.561{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60543- 354300x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.559{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-15.attackrange.local62894-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 10341000x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.070{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.070{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.053{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.053{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.240{82855F7C-58BE-6112-8D06-00000000E601}8282704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:19.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE35D8A4C30C260EBF0E8D0502650AA,SHA256=315453881E28FD73F1FD635B93B11F4E5A4870AA2B5A0BD29F1D4EBCAC3C6BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:19.552{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDF19007E1FE0A5A5A0B99E447616A0,SHA256=F5976A4806A09F869BC9A6E76028B94339785193AA4D48CA9BB35FBDCCD1EA08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.433{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64331-false192.229.233.50-443https 354300x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.433{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64330-false104.244.43.131-443https 354300x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.362{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53562- 354300x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.361{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51873- 354300x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.358{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local54964- 354300x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.663{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64329-false104.244.42.193-443https 22542200x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.563{82A15F94-3D89-6112-C804-00000000E501}6460twitter.com0104.244.42.129;104.244.42.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.562{82A15F94-3D89-6112-C804-00000000E501}6460twitter.com0::ffff:104.244.42.193;::ffff:104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:20.694{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BB00E583DE879E2CD77786BDDEEEC,SHA256=B5348BA9EFDA79A96167F682A3C8415BCA32C990D87F9068CEDEF6059095461B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:20.569{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4738E443876535F2469541E87003466,SHA256=A944E99715A0FBD6B552569DD5A6EF835D54DBBCD4B23084B24FE44DC373741F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:21.725{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251293845C9FF074CC924F44998AFC9E,SHA256=00A03EABA593709CF706DC902E1EE533906B75381AF534A513066DECC940BD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046905CDC6A41DE5FA2B7D653F9A2070,SHA256=E05CAC1A150A81F88FEC70D0BBD57B780BA9779BA67319AFF0DA75E92BFEBFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.840{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58417- 354300x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.840{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:2600:0:98f0:c1a4:8bde:ffff-58417-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.804{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local58417- 23542300x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:22.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1E6FC22B0D08B6A3366756DD17685E,SHA256=C0667B22388798FE8CBD66D0172CCF9D0B393C72B02A613AB9DA95EFB31E6716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:22.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22AFFEA27B230B390FFE42BC9406F85,SHA256=3A7D9EFEA64CEF3BAED5A2635BF36D69E58038260BC3A7B3B04DEBBBA2F400A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:19.239{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:500:200:0:0:0:0:b-53domain 23542300x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:23.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3194289DBF2B83281A763DB7C1E1CF1F,SHA256=1C59EF8885A88798AC991717BEE12FDB9E56ED2490A2DEDE64921FC696BB55E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:23.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336ED13378DD5D51936F59000F001E75,SHA256=5753D6208C357E5559BB95B51F7D8DA8DECE7044005DE77420BD32D077B87706,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.489{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64332-false10.0.1.12-8000- 23542300x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:24.823{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED47516FD8123EAE2B65A65F976011,SHA256=EA503D11ADE2BF20B3BD7ABB1BD7B9E33796B1F72751139A84915BEB135C39F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:24.787{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E01375E540C25168F8D91AFADFD70A,SHA256=B74CEAE0DE1A19C06FBAB89BD235C9681D45D72769A367770722CB24909EC5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:22.236{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-55581-false127.0.0.1-53domain 354300x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.904{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55581- 354300x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.873{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local55581- 23542300x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:25.850{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F3530CA360E28DB30EB38B48D101AF,SHA256=73AA5FE5FB3E9B1DFA1AA8560B101984F944D25E24C385B2BBF08969D2498F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:25.838{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25E709BF3DA9B9AC94D41EF35793EF,SHA256=47DC585C10DFD2FF38A2182AC151CF229C1A22D1A419B6193A3F2CF4564EC262,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:23.073{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:503:ba3e:0:0:0:2:30-53domain 23542300x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:26.865{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1942C5C6D78DE0F9D85EBB655C4EF32,SHA256=22C48BCA610A5900D7D60FC3081CBB10D1C651F53F58C86A4C1BE49543124196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.839{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75524195AA82A34AD48FB035F40AB94,SHA256=7E4CEDBF48A6BD6EDA9A86D5F2565AAAB89E98B4FF9988C7C864251D2A3AA0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:27.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB01E8CD54CEAF3AB8527518D26157A,SHA256=062E9EFD889B8FF52733B7694650A8A192FF7803E492AA86AD2A8ECC529A5CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:27.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E533F67A0216C753736354732ABA0EDC,SHA256=1B0D819B25183F04D1D2B375B07E8E48E67BD7F8784B4A7A67E55C53706DAB1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:24.958{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50600- 23542300x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:28.872{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9825563ED8CE58DB1C2524C2D4AEA392,SHA256=4F00B1FA5C36BC2CDA49B412B66A8BC073DDB286E2E321BBADDF3C3C9B36E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:28.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103ED90FCE8E77E82E51A9D1342BC0B9,SHA256=708E59E7190EBC5451697E5C3A0C7B0FE4A435667F46FC9F2627D344EB6A2A08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:24.865{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:29.891{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB5A81B039D0F23DC10492DBAF1CBF2,SHA256=7CBCFC27A72539D43DA6ED094CB0C76462745182D0618D7D194B50383232847A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.690{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:500:a8:0:0:0:0:ee.root-servers.net53domain 354300x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.490{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64333-false10.0.1.12-8000- 23542300x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:30.921{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1359D017FEA3FD62790D1094C70C2B7F,SHA256=764FB9E170DBCCD6FA1EA66AAB6DEC8068717021A045FDDBD78DA6C101BC27C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:30.011{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FDF48BAA0A9DAD4DE4AD6D26EC9848,SHA256=EB6214FAD08E57BAC12BB255DD21D1C75D085C597AAA502EF91B53CFCF4CA001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.952{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85338CA0EA923DB69E4A4F346ABC400,SHA256=614A32C04B55ABF9A2874978978D6CF012DF32808D53A8AA488C40A9008C9D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:31.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BC4566E9C960C061ED2EBF7037D595,SHA256=2CAC98C1BEDD12337524D3F0162D7754E05DDE26A9F8D299CF061E8B389D050D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.453{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6C19FB6AD68C3170E26792ACDA700079,SHA256=DA01D5F0E4696C8A40F8D6D0D5C2E17D6A6EB744941B645C3B5C805682353998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.453{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4250B8C25F2D5F0AF62998F786358D20,SHA256=7FD0CFF92E8A68CC058CDA040BCDAEAEA26158CD3F63CF799B6CAABDF5926A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.970{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B21D2E8932E76F15D1273DA3B2C100,SHA256=65ABE18B6464000AFD7C5E16F4F628AD50EEABB0DE6BC11FD3DC9F42E53C341B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:30.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:32.074{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9C43E5A134730A12CDACD79F1D6A0A,SHA256=16101B06C7A1FDB11B287A2CD5D0112E3F660E9F4A99C2C72189AAAEE7E816B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.920{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCBD6DAF0551442E4AD28948A7D9901,SHA256=360FA86B10E6374931355ACC2F8E36449717E4A46054AB2EC646C22BCBFF983A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.920{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB333F2BB977E984CE8053AFC975889,SHA256=32BB506ABEB6C4AEAE1FEF77BB8D3F2C6EBD387A01AC551B93D3EA853AD8973F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.325{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.325{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:33.436{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:33.020{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:33.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FEB099125B101DF157BAB5486D1BDC,SHA256=361DD3590CC2ED08DC0D824F550558A166666A338831F883EEFFC692080E8F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.641{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64335-false10.0.1.12-8000- 23542300x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:34.004{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B606639DD0822B7349CA85016CF0C1,SHA256=37DDF2E90D5120818BFDDB88911F6585370E7135AA7211BF3EDC0D849ABB7FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:34.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489F8E705461E480F564FE54587EAF5,SHA256=A0A7C03E33B1644505ECBBC9CBCDD39535DCD4787F8AAA9E48FAE293A466E12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:35.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4285ACCE1B9D78830ED91835A7852377,SHA256=F7DB27237F58ED6689D87E358103A8F182E703D74F1613623342423CEA9EEBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:35.020{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00543BE606CD5B719C529955E735AA8,SHA256=4D01D8A924ED02470B98BC4555049F6415AF9155AC386A8897C5980667E57C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:36.198{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D72186CC5971B767119AE831F3A57A,SHA256=7A4BFADBCCDEBE7B8FD47EFD1B2273587B60D4F4A71D1DA5096B5DEBEF77A0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:36.035{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEABDEED3DD74D03E9CE0F28ADFFD7E0,SHA256=792F7FF5AD3BE7CEE48DE11C29BE7ACC3BBA91C5840358BA8B6928AC686F5D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.856{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64336-false10.0.1.12-8089- 354300x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:35.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:37.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720DE4D4B14B8BB75EFEBBC8566C69D3,SHA256=238D2417F67968B70E7B20EF9EEA138668ED3A3049B3C222F143EF1622772251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:37.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE22EFF0035D642511070CB91369690A,SHA256=3467DF835EF8DA9B0309DB67F3A286817FF5E019FFAF907D1C41810BB214B2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:38.067{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33327DB92179078034F12F8E5902DB6,SHA256=67A6B440DA56B5D12D81D12968E87A8014E0BE28BCD38E7D39685764863CF01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:38.214{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECEF1A1E820E9E7441A6C497FEAD2B,SHA256=3CACA31FAD29B71715B7EA38F3117280A655FE7B11D451C5500A9FEED6A65B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:39.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9526C40B49077F50DAD2A33BDA62BC55,SHA256=2A5F05B827D54E6407703D4C2FB1769180F5A0900B2ECD82BAD000F2FD5AAD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:39.230{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4F2AEC4BE06B7BEFAB8AF293953A3,SHA256=4723A3A534CE2F62848EA10A56E39644383CF1E4DB7B106C5C33A5181DD9D43B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:37.584{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64337-false10.0.1.12-8000- 23542300x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:40.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB0059A96CF151D5094887BC15AE207,SHA256=73E5BE0FFA01638AF2D06B65A2BD1D62E46EB44994588A6A90129F09F1BA1FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:40.245{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DA1FA08BA33670919BC294AE159166,SHA256=7B609F49B5CFA13866CE0B543150376372A30B14E69443DA89D57A2C9C7D9B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:41.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5130CD243BF4F379D31ADC0AC611847B,SHA256=4E99AB51BDCE95FDCA186A851F03B66DFE993257F0345D8F668D9088E5040B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:41.278{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E867BC508473449C7D7262E391921,SHA256=5EC8A044A1F43C38D0B45B334B492368F41743F3B91AF6E4245EA395436A0F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:42.306{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3404F75C59AFB3D0C07A5F6C50E867B,SHA256=D2AC4F8E76ED46B8CD374DB6581D3D8F9E0D4A5F03576A0271DB11604D891EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:42.273{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB14C9E65D4347F17156B53ADC4C5932,SHA256=56E01E3507D0A52353FC043089E185F869B7CBBEF8E71667F249CC0FEE136A2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:41.883{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:43.370{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5974FE61139EC997DB19B476A61121A,SHA256=B9C960994106164810F4B313AF394750DF02BF5274AB3423795EF25FDB309FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:43.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220039E074C1361C2F22E2275CE7FD56,SHA256=698FA5E491EB52A21374D2ECD617F5D7EA5119FFE3D2152B9AA6F183B1CE82BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:44.386{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A354C72FE47200F9A0E1F784E8328A,SHA256=F99A178724CD7655501DD77300F6BF4575810EC91F09462A550367B76E4F9EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:44.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A52E5A05B8661CC2D43BB41AE56CF7D,SHA256=432FC69BAB0066A70982E3549128CB43069E72B1C07A32B2A57BD22AA536C543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:45.448{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB0DC76AB0A2F424493C1F1C43B8F2,SHA256=795F666251735340975B61CEF44E6182CD16B8EF9EA392A02B91DDB410D90682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:45.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B836B0694E21CDB9C6C4D08BC7A073,SHA256=00B6F9B0499A89D8862681C0F07595B31D3F0020E75C1D29F52BFADAA9CEECC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:46.480{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91640941A90482F25AC1EC0F2234B890,SHA256=FF80F7BA21612F11A0BA52494FFBA3DD4F85B1F8173748D2879B0B4FA1F1F776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:46.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25153FAEDA1E7FA9374C9DB87EFE7639,SHA256=04DB3FE3B3D1DB6BDF19708D8AF9D9BF3D806D13B6A70C651EDF93BE4F616F27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:43.489{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64338-false10.0.1.12-8000- 23542300x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:47.495{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B45057993B09B6D7DC7B65824B1FD44,SHA256=084847C16682C0B4821FE1EC79FB947364F707219DCC61ECBFECE27C7F481B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:47.452{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589AF68557FEC3C57ECD48F38671FCFF,SHA256=6AB37BBF7C012591ABA340EA60DF911C5206C01C1288D3E3BCD978E4C0AADD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:46.917{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:48.526{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00ECB9C4434D2056BF59BF330477C73,SHA256=1151F2F9988C9D64685A72392DF239119D4522AD32E8952485309212563EE39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:48.471{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA8195FA598DB09353E0053F5D1AFFA,SHA256=577725CC9491E0DF1202F7E5B456BA5AABF6A5A6A9BB62D3E6D8B6A4A1ED00B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:49.542{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD77C7FB1367D0ABCB44BA57D1D8E69,SHA256=706842849847CDB0216DFC784A42EA48456B8DA5A4B45A03F5B72ACCE5E1627B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:49.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01DAF769E0F2465634F71ACAD1F48A,SHA256=AF1794812F110C4940C75D9BE294163451457878643484EF70E012FAD80990DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:50.557{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA9FCB3ACDE1794EC3C87182D0602D2,SHA256=6FE11E7E70EA6F352E6D8AA1197ADB4ACED3150E3F9B90AB897912FDB44EA5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:50.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4C3A357A830014F02C59C733029072,SHA256=AC3EC258B49DE695D1EF13634BA99839A4E3B4B888531A88EA1CF17DC7AC7A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:51.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF31D2FD46BB62E750FB32F829CA331,SHA256=BE210D87236F1545F7CC1961CFC120D3AD198973142ED48485C6C76C5355FD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:51.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CDEB19EFB3ED381A7A341910594FC6,SHA256=00164C0332330DE7AE9DC3B4DD68D5A73438F39119DC1540484F72868FB233E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:49.503{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64339-false10.0.1.12-8000- 23542300x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:52.591{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB7D20D0D26F6A3606D86BDF3FD96A,SHA256=4E947038D8F0CB54DF4558E0E4CD8F8C76C792FC366B420CF127EC83FA587E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:52.620{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2970361BC28FFF61629E05BD5EE4FB53,SHA256=6547E6F552C3230FFAD2406014AEA28F62ABE2AB2E1A0FBFF39F82389232D65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:53.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9AB9316F5C718627551EF9A595E39,SHA256=E145A4DB96A1CDAA83B941B3036B92C6AFDE15CDAECF60B9A803AC892E6C5E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:53.635{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566870A92A74D7F705054F7E9AF24E04,SHA256=FEAB700A88886C09C7345BED17BCCD228166A9CBA4470E2AE58558F869E5B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:54.651{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8A542FA72BF8867BA55488F70031F9,SHA256=A6581AC412977AEB45CABA030F1E060DA52063AB2D011E2067C9ED2E5E782227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:54.638{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A249BCB2E6A2583FDD14F4893FB3C6B,SHA256=B2280D3B28C4684236BCD308C26509308CDD4840B66D12F347DFA4F28F979786,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:51.994{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:55.682{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83FA6F0BF29F9187D1022E03E91E6EC,SHA256=7745392F1AFD7CD52FAD5DE8B498900D1614E8A673A3D449A95DF1F25F4E1CBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.937{82A15F94-58E3-6112-1708-00000000E501}39925656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.774{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.771{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.771{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.770{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.653{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F95A0994F8E8D86EED547EC4C6316C9,SHA256=99818A0AA04203C93EB8F9116DAE2BB850F4F1EBE3F1133B89A5E43777663F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.154{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:56.729{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81D78D3B7D52BC058BAC692631B753B,SHA256=53228FA1280561A046176721365523B899E096A58AE4E230B2DE9EED3FD26DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.675{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476575756EF508DD9624598EBCDC58CC,SHA256=8C33BF0C8E59B6343774E3B3080C7E2FEB4EB081D7FB8E0EB9B13EB3533628F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.392{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A601E72C73A1BF82667E2D0E798BA6,SHA256=6295DA4E290F4B79E39B34EA690201E5001C7FE5383723F04C085785A9D700A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCBD6DAF0551442E4AD28948A7D9901,SHA256=360FA86B10E6374931355ACC2F8E36449717E4A46054AB2EC646C22BCBFF983A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.839{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41649905841EE0B280F2A1D9D6E835,SHA256=1C56BE2E34A6C0975D1EC6C083464FF6E26BB106BB8B0591C6ED87576432471B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:57.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908789EEEEE8D9FF5BC7A070089E25BA,SHA256=A1DED156714E172FEB945D05F5F7DD5CAA32835460B7C566C8AC8A039B3E974C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.538{82A15F94-58E5-6112-1908-00000000E501}29446164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.406{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A601E72C73A1BF82667E2D0E798BA6,SHA256=6295DA4E290F4B79E39B34EA690201E5001C7FE5383723F04C085785A9D700A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.339{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:54.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64340-false10.0.1.12-8000- 23542300x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:58.823{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3897929F13D8338281ED4AF3C20613,SHA256=436A2908E321C4349C19A4CA3932F82E243A5147940AA0AC3B03BC84FAAC96AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.929{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.843{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20584C75628BD64F9B0EAEA5E1064B4B,SHA256=E57646D1DEFB6E0D9453D7294ADED7012FB2BC3B726B8A97270DD8D67739A807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.743{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACCD173845A6DF7C62015F451198068,SHA256=9618C63B98F0F2F52786F0E45165EF549D37BEA951E3A082E02C880A6E4D6723,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.512{82A15F94-58E6-6112-1B08-00000000E501}48205932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.344{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.075{82A15F94-58E5-6112-1A08-00000000E501}67886664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:59.870{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82096B83D034633604A502C9E9ECC884,SHA256=6622409630D840786C52BFD8026CA12E01216C8A759092EE69D002CB05A7638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:59.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C7BB254D9B4E2BD280CA7CAE71144E,SHA256=4315354C449D0C15F84054C3F35D4982E25C38C2BB9AFF7B8AA0374E7DA16448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:59.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E4C79B4F98C93D1325021D182B4986,SHA256=1E91CAB5A790A475D78558098B7394D36D97E415E145EAF3F3827E623980D662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:00.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5787B573066F040284278183E1A263F,SHA256=88CC33AB3D4B0BC1F1FFA680ECB9D6025A73E7F44A7225E1F15FD0213F2DB3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:00.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0D6E8E689A91C896FD5D3964831687,SHA256=1A28208BDF9DB79C41C834B1C4DA5C501855D9548566AB75408C06FFED223856,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:57.933{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:01.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A7A9621D760A94BBE39BA80E4D83EB,SHA256=86D6BFFBF66EC5A10A6A6B13E8736485F594F974BCFBF7AEA6888A4DBA1A163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:01.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498253BD02F0F5A8F5ADFFBD252BC7A,SHA256=E996001F41E77B2B1BF0FDE0A473CC3F688D16D63A61B3C1D4AC510A8C6D3AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:02.897{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588AD49004E23FF31B29FE50B5222B6,SHA256=FB86ABF4527A41F83422C5731AA3C36B58025271185F812844A2B4B38EFAFF6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:00.549{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64341-false10.0.1.12-8000- 23542300x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:02.076{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C4CFCEEEA7FD8D70047F4379A4D98DE,SHA256=2C98DA26923E6936140C1B9573C3622E57B5DD96E8C3D60F11993929E39C2475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:03.912{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD588C3CEEF44842CD8ED89B1DAF7F3,SHA256=19D82E408D179CF594E892561B5FF39696B42C93F62F96B9152E386715C28E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.823{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.010{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D553D933A3A21BADD272F917B62CF3,SHA256=424B31ABDEC4F62BBBE9AB0DBD064501C07C68C7880223493ED1B3AFE949AD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:04.912{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:02.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:04.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757B6515256E9779F713E1C6C6375F9F,SHA256=9693E530549B51803FD79D398B857EFE83BE913304B454A226815A6C43C8D64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:05.928{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E3161D0EFF7EEBD352CAC2368FDC9,SHA256=FD8C904F7A9EF38FAE706A7C037F145741265E06576F18C2FD3E9D347C574736,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.588{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:05.088{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDAC31FBF434C10BCF8AF5520F2C473,SHA256=75382F35F968568DC1909E62DB46493CCD8C3593DDADDA38FFA9891C8B69B624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:06.944{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:06.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BBA939A21245240B9B8E66EF81EA08,SHA256=54798D052B1E37D0B26A8CF6C156A21B769855FF89534A1CFAC7CC53516DB802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:07.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEC89CB9753D05388223772324815,SHA256=53D2B9122AB2EB020C38ED3FBF019C634C3D0D9190792FE714F8A9AF0EF05784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:07.213{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6E0F6F40993BA1CB78FDF5218E45D3,SHA256=8C6D78B3097078AC0AC5C4BC9C01D61EAD762FD4EF9A11D808FC2A79F16FB99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:05.694{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64342-false10.0.1.12-8000- 23542300x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:08.260{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEEDDEB0B6801B1EB961053579AFF97,SHA256=A670FC44BAEB8883D781BF9014F72FEA616CBB7288DA2D487E2A6B8F85ACE830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:09.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAE09A55E8B4B4F68DA066A13FC9A7B,SHA256=8C117CB0184507E809CEF9529E0CA383DC30D425FAA9B5CD0C641ABD006C67F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:09.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:09.009{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:10.307{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78B70AECCCE44C1D39536A52A54811D,SHA256=24F9DFA936E385667CBA1FB8BEF4ED77CE4C334751B9E13603FE1DE7C0850394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:10.028{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:11.322{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B722D8C8B8D33E2F813028F3DE521E,SHA256=7BF50EC913484E698620D5E7BA8836F9F42149E3F86C42472C078AE1B8222EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:11.077{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:12.369{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52579038077063C10D90A3CA9E682876,SHA256=28F6827D3B81DE21E6A8A4DD0FC07029B903AC7F3D41B76FB0A3C7D44274E482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:12.595{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=BC882B9C9280F4F567F3E30542A35F49,SHA256=8EE5FA20E96ABE975F80BB029BDE2CC936784B88B8C3A7484322F99835F0F1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:12.111{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.667{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.401{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0535F25BDEAE16BCDC841027442B6715,SHA256=7C26E98BCDFBE2D7AF8408E97D94212EA56BA0DA724D7D1F6E683192630AC085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:11.646{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64343-false10.0.1.12-8000- 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:13.126{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.855{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.776{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=464A74BE46A4E99CD4B372549C1692DB,SHA256=6EE193089DE2BA643E228A4D9014909AA82930CBD8BF4BA465E28941F9023B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB952A44C77FB9FA52DC1791975770D2,SHA256=A84123C7DCB57A918EAD6D87FABCB9585373283FAE4248AB0D45803E4BE50A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FA4751F3370EFDAB9F1327A5A6DCA25,SHA256=F181824F14C289371038084A3F02B41A2463AA6A0848697B20BE9F6E3F5C9074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.494{82855F7C-58F6-6112-8F06-00000000E601}684172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.494{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6D71035683E0CAA2AA9DC811EA1912,SHA256=A8256226F46B1124DD1880DCE3482121BB8B62AA8246C1183644D4805EDA4C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:14.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.339{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 154100x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.996{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB952A44C77FB9FA52DC1791975770D2,SHA256=A84123C7DCB57A918EAD6D87FABCB9585373283FAE4248AB0D45803E4BE50A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.557{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1680B915C8C6877CD85F1B5F9DFB7C95,SHA256=4AEBD58BB75FA790CFA24A7BB0251E77B7A6826B53542A0CBF7E16C0DCD6ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:15.156{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0206864681750BD7BC95CAF9664250F,SHA256=0A6FCF96CC86A3FEA264700F89DF77C141C572CC0E7BEA9398F4180DB90DD8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.009{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.666{82855F7C-58F8-6112-9206-00000000E601}27243132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.619{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C453BDABA07E63F70F3AC8AAAB497EEF,SHA256=16A1FD58BBC73F852B92560FD291A58819181F56B20ABAB8EDEA0D1ADAEC443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:16.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101818A329F48EEC1D148AFB20704AC,SHA256=88D0097D744D921077551D035EA7AEF096A1C663166218AF07AD60DF94B3B5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.495{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.244{82855F7C-58F7-6112-9106-00000000E601}6682684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.839{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04454344B049904A5892956516C6155C,SHA256=A51CFC0051CE11AE064283F556061AE77821E53EF5D1738B8FFB386217AE84EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:17.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E4631101C659152EA58DDAC54CCA2D,SHA256=47B1F6D2272A25E2F1C266750BE198DA6D6E5FEA59AA93F95977A6D7657032C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.322{82855F7C-58F9-6112-9306-00000000E601}24961344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.167{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.026{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18448691FDC74B8EA05C392A205466A1,SHA256=0AE0094046DCC20D3D0464F9069E8E20728F4E0648349ACF8DEF0E8C7A1B9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:18.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1366DB808069F8DB38AB31920D45DA,SHA256=7914B8F6103CD4B21564E0EE43648F1936F0357C8E422CDAE1BE4F638F5A33AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.553{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.58.180477827C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:46:18.506{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.58.180477827C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.207{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:18.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158464C845124590E681AF301F46C6A3,SHA256=8917E41860550E0E55AF17A39678BDD5B806AD7FD815FF5F25D751D5AF9A3745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:19.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A36DA4A9881C6543D83D7E16A54D65,SHA256=1AB49646E5198821D1D844792AEFA83697A3DB41CA9FA9AA32CF350A1D5FE65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=8D481AF18541A3FB428C6EA1A5D1F7CF,SHA256=D403DDCB1406C863D49E8733FBF5B9781515D073FC9E8FF0C43602207A4F6885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4CF56037BC43880A18E24322FA80BA75,SHA256=82FFB45E384DE7C441B73912D0C153D11DE0715A397F69EA76F2FDBF05194EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6F20206A5EB7026139F208D1418B3BAE,SHA256=C61A8E5CD6E85F9FF2DCF3643727E10EAC20D38295DB55AA9F8220E93383BED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BA0309C2C0C7AE4863520D98BDFCC0C4,SHA256=21E611F12D01A1F55B08EEBB1B88F28E542617D47A508BBD1C4F314CF2AA032C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=AE8B5174E37771726CAE3D0BCBD3BAFB,SHA256=B77FB068F6EE1D58D3D16D7717176FED631602213FCBD49098B7BBEB5BF733C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=859B706DF9A4BF3DA3F92D0032852801,SHA256=80CC0E5B4A6D358191843F522590334C828493E1CC0310928CD0B751E75E575C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9B50F8A39D1D241636983D856F4703A6,SHA256=CF539CDE8A254E02BEFC03290B09BCFC7D4BEA7CDD52DACE022DC0D6F20F45E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:17.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64344-false10.0.1.12-8000- 23542300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E83B3DEE815309564671CF85727EF,SHA256=042AC1C8C36CDF065AE567A1CC97637C0D381FD49E38410534F15E8F404F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:20.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AE4AB1DEBEBD085FBA2A8ED6340F07,SHA256=46810DCAAAD34DBFCD0DB5BBC75B4956F4DDE4FDF80E8891F027A5499EE5A16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:20.322{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB139CBD6C118AA054242E599C64B8BB,SHA256=55FF7998DD5E15FCB3EC2CB321AC49FF9D39EFE68E02D738317C5575CB18DF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:21.791{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD803D8E7701988F8187DD485D32ED71,SHA256=022536C73C3F4EEFE4B14921EAA955846D8592B2934A7BDBA1A858725FF938B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:21.337{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5588C9FE049076F8B39B81AF661F16,SHA256=B2FD02D07DDB32B8E9A5E286254BF4BD8CE626BF99E607741FBC29A12841D0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:22.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757215223023BD67027913DA0C7B293A,SHA256=EB32B6F0EA5BF6304DC1C8E3D09A0CCE573F917AB1C3671A62A57675FF33B56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:22.405{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615BDD9D943E3DFDD0592CD03C0B44,SHA256=79FFA7C32CEC7241045F867E09BA85C6278CADBF276014D7751D73BE96056794,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086c8c2) 13241300x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x93abee88) 13241300x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xf5705688) 13241300x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x5734be88) 13241300x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086c8c2) 13241300x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x93abee88) 13241300x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xf5705688) 13241300x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x5734be88) 23542300x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:23.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D8E0A7BA50C31951C335B71AC687E,SHA256=421A1BEEE8EC65D92C1A90CABF1E8EE4D25842A07DD82263FB0034B7B88DC7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:23.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F631E32CEECCD9CE56280368045A23,SHA256=5E54B88B240760D714B32283EB7C3D17F6B7866EF38894405E84D5252271DD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:20.993{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:24.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54DA368CF6E9B22FBA9BB549EE374D,SHA256=ED05335D85C33EC2A58D990CC6AAA66AF6CF6F1C6A18036FD80F0714E45E3A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:24.435{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C760536046DA1813D90FE13185190200,SHA256=CC7816208245CDC77969FB459D228DABC84C4F60C857E7A1236873CCA0822BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:25.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E89A3AAE6266904613E16513A7FD20,SHA256=69D6A593366A14191B9591B4DC728E679E16DE0F9BBEF3EE21311793F563CBB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:23.555{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64345-false10.0.1.12-8000- 23542300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:25.468{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E218E45B3C9E66728019506A286E32,SHA256=94E174013FC9BED2AC8F707FDDCA9E9E1529AB4428A724DC216949032FFBBD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:26.916{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D522F20018E79A66F646BAE59FE55865,SHA256=E941091D1EF09F5065A1EA498D0A4C3D6F9311E418BFDDD84A84ECB9E27EF9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:26.518{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF429E4381071BDF42152672A34F8D,SHA256=EB3B87C7B100C699911B274792F3B430A45F83C5ACAC6D4EA4040011F9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:27.994{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407D2A58607F4FE6C8DEE1BBA9BD8598,SHA256=771E65C913A88E185DC419FAA1383B463F2480E0F23204CCED348A2700A23789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:27.567{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B86AE5C5A64394F87F57E25825DC02,SHA256=C40CD69291C121E8C4789C3100EE5EE0ED09B46A67D4BA81BDDD42B8F8E0F47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:28.995{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94C100E8986623A764E3EB7275191C,SHA256=640397B9E5E70B79E26834B1AE984FA8327DF37BE7382DC051649F19017C9BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:28.586{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140A0B13225AACE556AB390FD297063D,SHA256=EE111A406EF5F8833D8FC7DFC785CDE87C84F8F302EC035DCA48B3F303BB4294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:26.900{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:29.616{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4435EA8AE353043651E58AAFC8ED9,SHA256=141929A05265D2396530964A956FCF545253067B4011EBB4C7FDD03AEB0EC2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:30.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C38D61F1BDE8B9DE97952CB4DD2798,SHA256=74853ED8262D3C9BBDBAFEB98EBAE1EACA018905B10362D0270987175AAA843B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:30.026{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B460E3596F4792621C1F27C77145D6,SHA256=AF2E973A7B89FB527E9428336C0C0F921D187CA4CA9A0018D70AB91C9B9CD47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:30.591{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.637{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ABDF22332A90CA519D7BD0779C2BEB,SHA256=98ED87032345F3E6CB1ACC83442C46D256C46C3510413D4951CCB8EDD5231496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:31.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DCE89848ECA80B88F87D0B77DD893C,SHA256=7D4161B5A827DF5641B92F63520D52C68BFCC5AC6A5FA613C43687720B2DE60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFA484483DB904D0A00C71DD6301110,SHA256=B742FD6CA5560FE97FC7E74015986325E0D265BDDB8D53CB60ADCB5438980931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB61838F1F4BCCFDC2AB63288C33622,SHA256=EDBC8DD531F35F3CA9DE386F1D9DB8B8689C22B8E93AD6D278EB571A18A5B7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.670{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB27597036F3F34494A61CDCA6AAF2A,SHA256=A270EA8CF32FF90EA7A00CEA35B8C9077915BC0D62A5249ED613AE85BE42D7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:32.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9C7330CCB2DD29242DF3819DA8280,SHA256=663E80B50E4353A7A4EF5CCB2D7A78C760DCFB078D9481FD15EADCB943D4DE0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:29.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64346-false10.0.1.12-8000- 23542300x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:33.751{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF435027F5B45D03896B0B8BC33D25BF,SHA256=FF99D4B7FB56CAD63221A6DB3964A32D68B5E98CAA0585ACEA75024E8AE7660C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:31.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:33.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2D0C94ACE9F1E00B0A7D4C321FBA6C,SHA256=E91752C2EEEDC88F29ADB5A8F607FB8C16F5407A4ACA5E355C44D626641043D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:33.472{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.888{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64348-false10.0.1.12-8089- 354300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.341{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64347-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.341{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64347-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:34.804{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F8D72DCC25AB5F9A9CBC8631AB6BF,SHA256=BDA68C50220E23192E1E6F3703CB0024BE92929281674EBCBE5F925E4514E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:34.136{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EB9339ACCD0690A052C9F96D24A869,SHA256=1791A93CB394943ACF399451332656DEECD17C04A7E2BD6D587333A64C4096A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:35.835{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AA8B6B7279B320FE9B28D9B0DA0E2C,SHA256=E1A0C32C381B48FB22DDF47E7277CC57031CFC5D09BDE623BE566F8A222FE2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:35.167{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFCC473A030F3AAAEC09B45EFA716DB,SHA256=1AFADA623E563E27104C61F23C7A6B77CE3431ACB6778B45175E2639E83F127B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:36.836{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6668D9FD06108A3656FC8977AAA966,SHA256=2ECB3C480EBA505E3071B3C9F4C78717FA294C0A9C056740531532F56297BB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:36.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9FB4FBB0594B5C9F723D8CCCAB4526,SHA256=2405CECCC159CD030A47344382F771CBF611BE2B16CE4182EE164F9BF2E20665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:37.851{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF2E0AD14CB79A28453CFBFF10227FD,SHA256=1EEC6E5F57D5EC1AFC69A60E1A046E93677AF2E5120D2A0B71629A60B17976E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:37.198{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603507B28FFF4FC24DECB134F61B4ECE,SHA256=DCA2268025EB72CE8918F21A36209A9B6FB1C0BF3BAFECB5E37B30000A224716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:38.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C396CBD47CAE8EE8018E991EC0DC79,SHA256=B6E4DDBA87439303FFCE3DC604788D0A7F074044A0B8E1613DA9DF6226ADABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:38.261{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988B6849CA24FCF71A45B9A9BD7FB310,SHA256=8F759F3712C5F01588AE7986F8AD833CA6AB683EF52F4CA292559AABF1C173AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:35.523{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64349-false10.0.1.12-8000- 23542300x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:39.888{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3C54FFFD21DA251D6D621FF7A4EFE,SHA256=4F3E507D0E395BBB5000421CCA2AE50B3780369D4F0B499864B6286918228C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:37.885{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:39.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12655548D116CD4CF5C85F2E8A5EC1C,SHA256=74FEFA3BF8D4A127EB14B3FCA536751078344D4B4E378C2ABBDC4FBB9F1A9BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:40.889{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1642B00969CDE2B983CCB91AB4A598B,SHA256=95F24CC3CE572B10BE3EE0A1D1D914E4A8FE0C5801E7E2634DBCC79F4AD54AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:40.292{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6DEC1A8685A2EF6A84CD1F16ACAC86,SHA256=32F0CAB61697A3A5DC81AA54A954F9579E0D858512FA51DF89BF12AE0BCBA8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:41.905{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2A36E1619304CA1505012FF30B6796,SHA256=64AFC9ED1AB845D4E6B72FA58927C0CB05EFF65C22601F1F3DBCC3852867BCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:41.292{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB27A3A716F05B0B2B2F9311847CC9FA,SHA256=3DE60F037D67D469BE7212C00A00219BFB826AE9CE2B19EADABB4DFD85E33A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:42.919{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE61532E9DF5EC881EDAE4FA31CD1E60,SHA256=D10D290BE7314C4AA1003D3D03D2175FE785785A4F3EA2943D885BC085F60347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:42.293{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF232BC1F9F98E8096F6D64D738D1D04,SHA256=B0CFAA965B008F7BBC4E740037BABA2E630C9442FE4D5C577291C71A01C8034C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:43.934{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:43.305{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3118E19008A99E0D0A25DD0484E36D2,SHA256=B1A17FE89538BF3F9CE4B7EFC9762F53603812A23F1253D5C8FCAB65FB5C2C6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:41.487{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64350-false10.0.1.12-8000- 23542300x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:44.968{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C535EB2FD12DC34537C63AA37814BA5F,SHA256=265003A5895FFA829592F734B7DB687A495F4C86A6AA22A0B9C9F90D6C6ABAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:44.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13F4CA4930F4936123B437B145DDEDD,SHA256=B2E689A0D54C41F0C599BDAD573688E6479F84D0FFA536CDF14F9312CB870E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:45.986{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E905CBD3BE8BFABA43BAEE00DD267447,SHA256=EE60D2D2EC539639282E666351CEC7EA9A3AF6EA013CFF0A0961272BA5BF8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:45.336{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C392E5FAE70EF005F7422F8AB85DCE,SHA256=C22E856AB90AFDA20A897DC5902A35FF8A9D406F56C2918C3C6C0E88C03B8BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:43.007{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:46.351{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B007640A96B78FD9D86164975DCF5D,SHA256=0A6794A55A252E5F07204F6E97962A0D2C58DE21B41B640B051CE4097A07D2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:47.367{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A66AEA3C4B61D56C9873DE83C93E0,SHA256=079B58660871F9AF8A99246B7EF1BBB9C45A52ABFC627FF6BF5AB30EBC2EC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.001{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7B180907235C9C6E3F09E03603E69,SHA256=5539C278C954BBF76C25D955EBAA04D808DDA0BAF0ED11E521F12738793419F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:46.499{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64351-false10.0.1.12-8000- 13241300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:48.047{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69DC7C2D6E6A32418A194290E4A7804,SHA256=5199BCCE59A1ADE0DD860FD3B93BA8F4DBACF1CFC3B9973C35EB8E85128818C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:48.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765A746F4EFFB7C38E21B8D74FE61335,SHA256=AA529EECA3BBB137522213D5697BAE27E189211E22FCC8AAA348C86B3EC2C29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9392D63B101F6BE0AE41F7B293CD08D5,SHA256=47D0BF4D98760C0A5FDFE59F779EFA86148E71E0683A94098743E76FA8294185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFA484483DB904D0A00C71DD6301110,SHA256=B742FD6CA5560FE97FC7E74015986325E0D265BDDB8D53CB60ADCB5438980931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.067{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0211779DA43B5E077483ACB91801AC03,SHA256=4AF79B9E1B1DE2AA832CA8DA648D61B72894C0F07F9AAC8AA27C3584265AAF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:49.403{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C0CFB5231B35F91228FC867DEED900,SHA256=E02D23E1F58C605BBDCE41C7771151F3162EA1191B9486BA9C36BC317CAA78F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:50.418{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681A44716366595B952188301CBB21C1,SHA256=85F5B99D284B359E1D4C80CFE308CE03409DEC6F13FA084FED3BC0B6D132AA3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.771{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64354-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.771{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64354-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.765{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64353-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.765{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64353-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.752{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64352-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.752{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64352-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.184{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8ec437.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.084{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABBDABF889E45B6261E1115FE2F94A2,SHA256=18A8286A2D6AC7011E21E23D4BB051E1A706773B7E38D560432BEB03F4A69DB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:51.434{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40FE3E66BDE944C837907B3EE473145,SHA256=CE7BC89C93D49CD29F161E606B30EC2DF4AC6EDFA3C46A036B5A3D418366693D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:51.115{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA38EAD483B3559AF5E52A5DBEF761,SHA256=03AD7C3D0CDB6141E0960D5DAA09BCF8A647670C0DE2C89062074341AD7096FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:49.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:52.481{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D27F10AD0C1865F965A1896CF2A06AD,SHA256=FC63659DCF2AAA1E75DB3A4069BA2F89084AECDE5D2B3173A756D0C90F229EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.130{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913667AE2D138ECF3C46611964FDF133,SHA256=9DD387D5063E420FA0FD92297CB436F0CD5AF703D701B0AF4055346FA62B049D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:53.512{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8E78F36F95292AF4BE4E241A38D06,SHA256=992F902294BEB19499417E5B96AE1C746134D71A6E433177E6C085E8CBA10EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:53.145{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66011708C67F06F4F32D7257EBDAA5D4,SHA256=2B998429C8F68CC89A8783B5A4FE9FC545E1FD4EC7023A8C395CF3420780A110,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:53.130{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:54.559{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46436DFED9AEEC54EE2ED77B7B282013,SHA256=A19DABE3544174B2004AB5EE1A4D3B6BC5690F493C1D784B4B3D7D15563D837D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.569{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64358-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.569{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64358-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.480{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64357-false10.0.1.12-8000- 354300x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.475{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64356-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.475{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64356-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.468{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64355-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.468{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64355-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:54.163{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EC8FC9B277CC654E1006CE89AF01E6,SHA256=218DA61C64D4A4FDA7E907B25190CC22C0A4A0BE45C62AA7A8503DEBD19D57B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:54.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9392D63B101F6BE0AE41F7B293CD08D5,SHA256=47D0BF4D98760C0A5FDFE59F779EFA86148E71E0683A94098743E76FA8294185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:55.574{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7629E49A4BA445480CB55904F070CD74,SHA256=047EBA7B632D370AC88084F9E2997DC721646596EEE3F60929D4E9BA15B51010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.846{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.398{82A15F94-591F-6112-1D08-00000000E501}58604192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FE88497141E529C4E8BBE43C8A1DF0,SHA256=576613E99CCB381668E9B25AD9084835966E09CF01E612190DC6760F8273DBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.166{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.163{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.161{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:56.590{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE0A256FAA5FFBF3F02035E5D885E80,SHA256=7A8F6E3E45A845990C98C0D2BE717046AECB928A802565D6463C062300BB96C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.514{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B105E8B27CDBF49ECC045F20F2BF0E48,SHA256=A7FDD8AC04A27137C102CEB78CD338EC86B1DF1E7B2D8307F347CD7A27CF7CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40035C1EDBAC36AB3B8ED94D740847D6,SHA256=25213E4EF4D80FF9B142AB72B9464B637855CC81D6858CAFF513424834358E50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:54.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:57.668{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC6954BEB035EE8F1A011DFA0ACB451,SHA256=0B00240C26BBB089C1CB2329FF36D1FA722105BDAF5C8A24B185920AD3F41046,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.544{82A15F94-5921-6112-2008-00000000E501}52922440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2676A4A3D9E663B3B362E77EDB95B222,SHA256=74EE0BB864BA1C5D387DC5398D996C8B6BC789F5F25646389D34000DEBC39F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.366{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.363{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.361{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.197{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A0212A8F2DA5C99AF307ED3DC62CC,SHA256=5039F87A442367E7D4A0D66CC81D0937F0D94E9DFCB2C953E6761E61409591AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:58.700{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC8DAD16F35BE596CC556A8CC73B419,SHA256=9D268ACC110F05A1AE833F9B3FC8B9C8AE81330406AB6243C287130DD6626703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.912{82A15F94-5922-6112-2208-00000000E501}10204692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.714{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.227{82A15F94-5922-6112-2108-00000000E501}64406784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.212{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8F277591BA0A96D8953DC876BD2035,SHA256=E0EFDF0FC625BCC8673C0FAED8FF0B02033E82B2B313A214A71FE744FB3829FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.044{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:59.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1B8318A40B7567EEBB44868749AFC1,SHA256=A65ECCDBE21949C6F0C6DAC2011E23194F37660B78490BA76489CB952D36BF80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.329{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.227{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22AF8D0B80A7F9138738ABBB704B3,SHA256=485B811302FD1AF8EA6338F02485FF65D3411A4BFC7C7102EBDEE3C987BB7318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.062{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC2E09C93E346FFACA9C1270EF6F0774,SHA256=EA5F00CB7E6B867DF5494D00BC4E7048D338F5D4FE1610A1274264125789067C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:00.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4A875D36391ACD37D471BFFBB52E9,SHA256=71DBD85832112DB1E67728D2AAD19C1423F53AF9A43FF12EC1250E1BB6F70452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.647{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64359-false10.0.1.12-8000- 23542300x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:00.411{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC504078F723132B8CCD4FC1DACB5B1,SHA256=67C1C57F3D9261F9720CC2B224B85073410F25E3CA722B31A3DEEE75C4FD464D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:00.242{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46ECFA608B90B0193A9663D2C5388A,SHA256=02B2FA10A85B4D21CE386C1A4A3AF2E6E0CF96FE2D5A5BFEF21F1397FCCCF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:01.746{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7906DBF91B5FF974F4B7D4CFCAEAD36A,SHA256=9A858EA073E84C2E3CD67397256C884647FCAF6792B4BDD7F8E210CA39259D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:01.912{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:01.280{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE0CFBC1D6188B2F1D8743EC279020E,SHA256=BCA441FC859FBE4B89922B6C7C8C301D81A4E4437748EE4D9773E5C53AFFC406,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:59.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:02.746{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1253AE77B0438E08F4D7A67CF8097743,SHA256=E76F6FB22B53CB59C2D78C290131E3B290118B2E35BA9DFD8C52DA1C0324D045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:02.281{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1A6C328836A1395CE0CE3AEEBCED5D,SHA256=2288CE635FEE0ABE6ED26C317F549DF19790B3240FB25E4AEAAD18E09B13E665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:02.081{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3F31F9B40C18E07F17E4FD40B578B6B0,SHA256=DF5842E2BEB8193F8CE47D07B8B8662D29DA35E0C23F966B4DCB91D38B012590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.840{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.778{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DC4EED367420E5CDA9CF9F7D370326,SHA256=D0AA1B878753B671FEF01F43DD2CF29E6594D861EABA252A9A68A2F9DA373D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:03.295{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA4BDA6699272E5164FB68F386F47BE,SHA256=96331D00A9B638D500BA784A04C3F49161DB5130B4A24B78549951A7129BE24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:04.824{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8BD70F86FE0DC33C538039D8DACA47,SHA256=5B83EB47ED7584B65B8995812E4AAF8D13EE166EA0851ABB37F5603DBB646908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:04.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5870C6ABEAAD9BAAF9696B2C7853DC,SHA256=97109BFF320A99D7D13D603187309C211B8F5852B25ADD10547C26B87AC8911E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:04.312{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECF8A63AF39584AE9F2FEE5D1E5290D,SHA256=0A1C166E372918DDDE7C39873DF22054C82AF6CADBD2DDC6E5A6795B63375A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:05.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF5A799414EA3C35866FA160A994DCF,SHA256=A3D6F241024746ECF9B1D4E7ECA2306B2F4E7B9CC1181C5E2AF50C974D09CA65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:03.447{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64360-false10.0.1.12-8000- 23542300x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:05.327{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65C9B1C68595BD2681AC2D3DDAEFB66,SHA256=CE31D282632996C459673D920F99579022CF6BF997412D29D307C552769A1099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.605{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:06.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD81E2D2C90072A7BF42F2359B76812E,SHA256=59BD89C29A4936BB8319020A30807108547B8586099947C2154EE7DC7A3EE93F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.342{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978D68AE916F4593C856E01298F95D9,SHA256=89E689960541E97E5627E89C1DCC71B2C495D16B29FA4980F716DA7E4FA700B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:07.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D315DB02E07D10A9731FCA1FFDCD73,SHA256=E990DD591F911999AC39A88792056902B30EC47127837A8626EE450001F71CB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:05.980{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:08.894{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595B94997AF17B075D465872E7CEAEF,SHA256=9D6CD3293BC88F3A09133149DA14F6550576E735E9DC519FF66A14F99417C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:08.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0280019D5F3CE7E1EE9F2B0032801F,SHA256=8B00CB3F0770B0C7540BCA96D301BD174D377520A46FCDF0885102BF249CB882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:09.909{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D5AFF849A641C3F9EE34908B31B6EC,SHA256=3F96150886FE317A97D589970A09BCD59C9460E67FC784CD188D72FD7D49328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:09.039{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE1ECCEEED49C0594C4E31510523D42,SHA256=0D70D81AF470B3E3BD0C655814AE03083CE52D655E9AB1AAEAFC194AD5B2CB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:10.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE950C09288E77FA6823677D108A28D2,SHA256=D0D5D9EE55B42E8521429EB9D062573A9D553A3E3E89FE9A6AB04486427E90BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:10.071{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB920FC8CF4E10F330E9B47BF07D29,SHA256=6AC60AAF3E91E4C10E0B59DD24F7721E1E0BFB5B31FB7A7BDF1A59B654F74857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:08.629{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64361-false10.0.1.12-8000- 23542300x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:11.931{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BADE8CDBCB00F18E308CE160287DBD,SHA256=67B350EC8A4B9238EBA61F90778187A5850E2EDE948EB4D153C44A7AB70C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:11.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF876BA41F018A8A55212FF29A055464,SHA256=1BF5DEB278E0A6FD4F8D5D7AEFC2C67628325098015F4E7698AAD787357F62E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:12.964{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B328CF101FA69793FB7007FF50558AB,SHA256=F5F0EB67ACB8A49B5A8F7A7CFDB671CDD0737D2889C5C2E9F1571748AA16288A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:11.038{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:12.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A7AE28E2C9CDB29DDE29509BE950B,SHA256=9287A9AB962CB16FB97745484170502901B87309609F1AC6096DBDD5D675FB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:13.983{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66820EDB8EF5D9799CE2E748218CDC31,SHA256=5D5C95542DF9AEFBDE41FC4BAEB111DDCDC0ECC3DFBF8D5921321BF6BF0F9142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.758{82855F7C-5931-6112-9506-00000000E601}39763384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.603{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.180{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0743BB048CE6442E6F22925B794B85,SHA256=8630409109F23B63D1ED1E08B85A24E5775B2B67B287059A9C6B6E96AC8B566A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.853{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.789{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D6998812FCE76E41EFDE92403563AA31,SHA256=953C7ACD2C088C47669E28F071048499D8B47713F32EA2750EAB0F1AEA6116F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A59F066B03F638426D293D518FBFECD,SHA256=A631BCA72EE263D0796AB6D2BD7193E995970A836BE7197CBB605F5CDA4A118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29AEAD9457228C4714153E1E04EC8DB6,SHA256=DD386C02A2E936C874000A3F4A5BB83329B6ADC86E7B62F23E54C706F78C4BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.228{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4A80DE05DBB8B0223DCFBEBBEDF66F,SHA256=3C9B1FC451150A1A6CF38514B60A538D3E1E2FDB1306125958100D99001E697D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.931{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A59F066B03F638426D293D518FBFECD,SHA256=A631BCA72EE263D0796AB6D2BD7193E995970A836BE7197CBB605F5CDA4A118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833309346E79EA50D1961078C072D374,SHA256=4A8C126DE8E430904315031DA6BBEA2AC29609D5E42632B7728145C94907A314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:15.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9539700EC736D8636A1765F6DFBCA,SHA256=1C40956F206FE7B6C18EFD7537539BC4694560FC0146637BC7114135D6E5574B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.961{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=413937B0730C7C9F9E08B0FCB8DFCC94,SHA256=5999B1530EE66298AD3C98076EA61041115A91CEAFADFFBC8F8DF07261E2777F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.758{82855F7C-5934-6112-9906-00000000E601}9602004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.727{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D031207B1205B03DE49F0DCA5B7F3F,SHA256=E29B414C6DB138F849EA212529FC8D3E6CF6F10EDE9B9EDE19B77D62EE33E4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:16.028{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F8B363603CEFCBB1D18BFF8E94E24,SHA256=4200EFE0DEDC713FAA09A52279814B2153CF8131C4888C591501DFBA081D082D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.603{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.102{82855F7C-5933-6112-9806-00000000E601}40443684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.930{82855F7C-5935-6112-9B06-00000000E601}708988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.775{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7174DE27172316080FDB010459FF42,SHA256=393D50E5BA9F3D7A064043F6B94A5E133521D997DFCDB65047D3A20441A4C5C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:14.596{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64362-false10.0.1.12-8000- 23542300x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:17.043{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9F9C91D92CB4093AD098DB65D6B296,SHA256=C2377C0E4F57063AE55528F8BECBF8AE61488AB88DC1ABA4D9483FED3B4CF696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.089{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.929{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:18.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3FBDD829B53C87269A813DBECC0A0,SHA256=CA3E0E4313580A0E96BA41F1DD4BD561B16401DE2616CCA3806AD020CD9B8989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.585{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.527{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.511{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:47:18.511{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.20.79607948C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:47:18.511{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.20.79607948C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E817016CC6EB84506343669BACFF08,SHA256=5A718B4A74BF30DA0DCDB2D2809416860FC8CD4DFD248C05E27920B7C7C1A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:18.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766DA93FC6E1EE4135FF0B957CBB0D23,SHA256=7EE02E808F5BEED81DB2C0C5EA93EF6EA8D05F45ACC331A7AD1C3756061C16B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:19.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95CD28BDB5F998578BC010EF66E4026,SHA256=8EACEDFCCC7E108D46EA97C08E475A5652350D2820657A70F3D397721B5EF9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:19.064{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F6034E0C22FA8D6A6904B62859419D,SHA256=687600E3E7DB1E67F2EE951BA1977AD22B7D09B67E091EBAB13E7EAA1E33183C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:20.789{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01A8024B14730196FC4359FEA68CCF7,SHA256=39DC7DE03C4B5CF684A97DC319755259B2F3FDEBF143F996761911670696845A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:20.079{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ED34CA1F0487B11221304916ED7DAB,SHA256=A53F035D0AEF0AADE2463A6139C304EB7A396EF58FCF0A86C40DEC91F1E485F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:21.805{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FBE012CC632845E7DD747E493A42EB,SHA256=0916017A7D1D7A57EC5C43CB76DBCEBBE5E114CE2E18000DAD3994BB55AEC543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:21.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732ED8D0AFE041EE78DBB30CB2BD2449,SHA256=7AA11B317E9C9E5639FF07214949F80E367FC23C559B8B19BA314919375832D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:22.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E71A4B64B7C7D4098D0A5B8BE9B9EB5,SHA256=196E8CA82AA0C47DA328A7669E1DEFF56598BE72BCBDB166ECA083604E2FD157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:22.142{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C294567C94659347FE7099F5FE86C8DC,SHA256=695D1F02A00B1D6B1F96DCD7B8D862F7B6541C1989299211C664123E8CE6BD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:23.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EA2B4A7617D26D53647718D23E6CF,SHA256=2B75257439E8DB1C1EF94F7D2074FD454442EF3355D0049631F87B63AF273B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:20.576{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64363-false10.0.1.12-8000- 23542300x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:23.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3A5325D4B894E78C7AE844C63347D5,SHA256=A48990A8138D31E0391F1749373EF3A43C1ACAC9209FDF466478D2E980ADC8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:24.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADA1A478B5783490F459C059F57BD3F,SHA256=1E299073B96EF507B440728418B7F2AF37168E7D78693599947141F64097BEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:24.181{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E60AD08A479A4D2735469F3A6E350D,SHA256=14E98013008F3364D3F93744832A04DDF089A264C248B74DE7326CC734D81F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:22.007{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:25.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9340BFCE46038F3C3D4B91A336D94EE4,SHA256=D3592830FC9FA0A14AA43A398D365DBD263B8927821E7A255191F1D82BCAD394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:25.196{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2916809DC46128173FC6A8104BFBE58C,SHA256=F6DD323B4F202503282C7F5458A81FADE9E762CDBB5D20B0AF535EA4666B4983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:26.868{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A049F716A8E56A315EB775E27E0C850,SHA256=3FB10BACE4D6FA16465463D4CC6BDC5D13A42DEA76DB4EDB2808F4306029E232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:26.211{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7716C71904794C89F496F12CC3B9C71,SHA256=AA4A9D4CC3B9B0FF600FD71739D57691ABCD752C1E9F89EE2D96C0F830CF2C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:27.883{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABA960DC8790657D46343FBD6E9D137,SHA256=EE280ED318CD526949986E72AFE9FB2790D8DF702FFFB9E76229CA9F0CA0B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:27.211{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BD3A148922383F8E7E48BC7EA6761,SHA256=4BDBEBEDC77D8305B79F0E31C6496343B34EF44D86C994C5AF849C0B28A99A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:28.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68416F345A6AE3E57EE77175C70EBD31,SHA256=6B3D6ABF72E04CB90096AD0C68DA7225784D65F1436229ADB89B17209D89C87D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:26.594{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64364-false10.0.1.12-8000- 23542300x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:28.226{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA55F53F2E0848AD51DA27BF64602B2,SHA256=E5631FCF1FAE35A340302DF047C8D6B93A44084B4B4BBDA2C4519A584BC9B34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:29.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DE9F7D1A3DF8D409C6BE3C51792F5F,SHA256=DBBFF02B16C5A39FBD146163E78C5B2243D48599244DE9901FB6FEA8A82F2993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:29.241{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F9FCC62732A65052B047F56BDD9C40,SHA256=94A0470C0F6E5842CDA0B62C449AAAD006407F0775A85D08FC8AE587EEB03E90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:27.850{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:30.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5EDD11B90F09758931275F3F83E0C9,SHA256=F43019270092E1F49E5EB7EE9C74C22A5BCB0E28916AF64ACB0F6AD690EFE43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:30.610{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:30.259{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2E7C3104F41F55F666AD91911767AA,SHA256=E617201630D18FC08DC3B649A45807E7051ADCF1AB99D9E5E2D0708B48CB43AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:31.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E30017946D2E99AFA3BE60EDE29A6,SHA256=2D47A80EF41FE34F4B8E6BCFF0454837112CB77F60FCD60FB2EB8C6B72B2A001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=59E6F76300B8ACF4FFABADA1E49CDC74,SHA256=06025E1BDBADDD240894548BC76ED21FC566C81600A9C29A6F1E0CA4FA0585D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1F0DFE418E7D51C15246514C43E30622,SHA256=2756929014EC4EDDE631E3591D99CF1E1452DAE46987A1871639BB7271AE8705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=D399EADF871BDC2FD2F0757A612DEDC1,SHA256=C80B68E46CA70FC40FAFC1B85A3C3EA7A7A9196CC3BE71A00C0FA6E9468AD7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=CE6D533E9D6382AE8FB37BD1C2A6B55D,SHA256=E968FFDB92DCBBC986C0EE3AFAFB552F67139D043483EF0FCB6E6DBB1897364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=33683931039A83458FF5920BFCE5688A,SHA256=E3F882D676C6C8BA5B8E50F6018F55E0388043CCFAA457F26B8C51357E8D0E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1105A5AFEC064918A10D397E1251498D,SHA256=5E800C52BA5ED2F7C5DF4CD2D232F0549F77DD12D79EC48978C635DDAA2EDF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4AB8BC9F12332EC5CA720C70AE1FB0F1,SHA256=3D2AB996A5955D4B3F25DCE567BBE850BB98A01AEC313DC16C232BF07EF0EB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.293{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C9AB7F46897DE24D4CA5B9AF5D87EA,SHA256=AB9E0190160730F0812A4D0136EF4BB0C6972CCB3E6E69F0BC1007495664DC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:32.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BA88E13371C924D9B68418F17AAB5,SHA256=847FF38035C87C5864FACC8F53DAA4F3DA49A831FABCC4E6195804CEF51F2FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C32C99E5EF3AE7CB26859A98B95DD7D7,SHA256=FC0F97FB90882CC76A97E5CBB49B1552FC66075E5E6E5C5FE1739CE961650F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928118A35350CDA1EDACD5AFCCB0B7FD,SHA256=732969A5884FEE920748CEE90DC3DFB601AF0C82DD4D040659EDF7A06FA87283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C573187AF95CEB768A5A5AC94594D69,SHA256=D0D17576A342BEE8E1EA2249E6AA56CF887A0F9141D4A3EAAA96DB852E30CFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:33.980{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09356C4E9CD7B49347D381595DB9A3C,SHA256=472C2C8616005AAA99BEB53921B7C6847C7AC7D3BA16ABE55217601E10590F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:33.491{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:33.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7BED03E3794CC4E5D35344AF6B6BE4,SHA256=B9BAE2D471046499092E0A87B05828DDF966A7CC1B8F3A3DB3007D2F8C3C35D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.543{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64366-false10.0.1.12-8000- 354300x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.344{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64365-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.344{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64365-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:34.392{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759650399E41F96A62FCCBCD1B5203FA,SHA256=004BB17C72E24B24BFB2CC68BB59FF01BE5C1C147B5D5905DF12E3F5F11596B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:33.010{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.911{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64367-false10.0.1.12-8089- 23542300x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:35.392{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC373C4C925B5678F1AF368F0EB8B5B,SHA256=AA994B8E7D38B009283E9583A56BB0846AE09E00B0806A67C4A4F78D4919D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:35.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6894CDABC6387751BADA8EFB187F8949,SHA256=2DF0AFB667CDC7A04A988154FB61EA3102CEA890DE4F4EB02F617C6DD1B1F3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:36.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F0EB3ABDBA769DBCC801D4C44FCB5C,SHA256=F0787E87659ACEBDE2B12BE860AC7220B261629771AFD72319B6916AECD8EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:36.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3236452006C1858414FCD6AE8E6A26,SHA256=B5A76B574AD47B5BC45E5BF54B44C0297FC732CA750E2E6E03E05CD6A83FFDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:37.074{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F3D5B226F9C065A8E4A17D9CEFE1D2,SHA256=04BDD6139D843996DFFFC2FF4BF7A9D544875D8217A09A8A7A4BB3396208EAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:37.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66802DF2177ECBBD5AB1069413FD4EE0,SHA256=37654410D839FA62D07295A0C6A22EF21705AC87BF9D717137A9F2572F7253D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:38.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28171F15B2F42004AD6C2BAE282611CE,SHA256=1CA7DC22663D44347C28670629AB20B914B4896EC0D42C0EF0491CF18725E111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:38.438{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6564CBDDE22C69CB5BBFFD34C7BF080B,SHA256=6BBE087625A176C5A9A6BA2F22FD776546AA10BE49785FBAA4346F9D8CFBC357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:39.456{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BFFA4F04A8EE3E623DC4DD8A8369F5,SHA256=3D67A2C39454952FB48A675D66A26AE2733E9AD538C312E60B518488F95B89C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:38.042{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:39.152{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE73CB2FC13611EA7A4F822EDC5805BA,SHA256=160F0DD61550B0D22F1021CC2441682CE79EE788FB582AB02579A9F2543BEC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:40.475{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC45E83952B56C13211C9A794A634DC7,SHA256=6E706C45D758FDB28EF2EF6469FE1D3C7F3E2D124DCD125E5EEFAD7662461168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:40.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFC271F63C852B9C90573F2164E4846,SHA256=07278FFAFE833B97C9C70BD84881A3C6F28A40200A4C3BBB01BCCCFE5D925DFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:38.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64368-false10.0.1.12-8000- 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:41.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69088E9C083B6A5834B6370ED5DD9D15,SHA256=A75B9D9273950065F09B080A4266BB5B4F754B12B1349FE21A5D83B56D3032DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:41.215{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A774BD6048F317CD1825276C9030A27,SHA256=160B16F566A498082B8DA15954AB0BFF6F4143198BF90125E6C5DA3F8B4E3890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:42.496{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5A1DFB081F9117DDA6AE4B6F18501,SHA256=4D499935A05241568AD6B1C0A043C94C40B5F5BDD5BA7BE4AF6E759C465C5777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:42.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA3EC5F2CA08C9A85E55E38BABE0A21,SHA256=8F62E0B8CFF8D858A245898FD2F505680029EBD6211643825D845AAB02F2FC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:43.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512890F6381E37240AC607888A94FE3F,SHA256=3CB55304B701E0D1836EBD402794AE19283F7C935081EA50450A58E790DA0822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:43.512{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6EBABD3F43899398833F66EE24D533,SHA256=0C32247008EA1666DD2EF23E2D892F8BD9BBD063CCABC1FAB33B20E3D713A44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:44.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70EFA4636DD4BA5114DB6DC867753BE,SHA256=ABCB51288BC6B359A961536D0817474AFF29A73E444B4A2FCAF05FCD548934EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:44.307{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336F4950F67311E76446BA2F5608393,SHA256=28BA20FFF268268F19605AE2B4B563A22D83D6182C0A4EE98AB72319E1691C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:45.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80512606A03AABDABF0DC1FBBDCDB1A2,SHA256=7E720C09DADAF16F92AB6A203DAAB3A0BF7F6F283F8E40FD226B3DE8DE22422A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:44.010{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:45.325{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB301A65336153E6B9D739B811952A30,SHA256=869FE3AB40498C9187F54074C29094CC64992F24C7CDB531CF9BB0B6E08571D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:43.615{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64369-false10.0.1.12-8000- 23542300x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:46.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF880D0140A8378036F6EC19CE3B87,SHA256=C2A450DBE81471B05ECDC278C13AE6B3209B4F5F825DDAEF0E3E17E21038E0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:46.357{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2BF0B3BC6A5AB1410647CEC8F5F23F,SHA256=C22416431FBF9C05A9ADD745F0E68C391C49B4DF2529E2E5A787D649C71F712B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:47.563{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703CC48F0916E895B5CBC3DFD4D12402,SHA256=3C67C4D2680E09B48524763CF395139AC4409C1EE50793A04A11C8C4440BDEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:47.389{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551FE99876136660F156F88FF344B006,SHA256=3AC1542BC2C302801B1074BE3DEFFF17CE5A61C20CB6BD214847B1AC6BB82BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:48.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B86701B7E7BD0311EF48F815EBA791,SHA256=97B682ECBC08182D34F756AC57056080908BEBCD45B0570F4D83C12A95BEE35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:48.403{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB394A050059A2402B044D7040CA7AC9,SHA256=176BCFC97E4E74C0A6934F303C841A20C3D17C4F0F7DA889A8868213C6095EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:49.609{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F240B069095B34C46D9C3C0AFB10A70,SHA256=87A034E8CC30D4467460BADFBF4B68D1D5E509DED57C210D38A78E33CDC11175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:49.433{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70CCA81AE9171CCD5DFD8D5DA13B49A,SHA256=35518A34ED69BB3929427C7DA0D750587AB5492A7E91B78C8472CDDB9CDC138F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:50.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5950F917BB8D9EEDC1D51017F8F4C4AC,SHA256=BB3D18056444C6A01547B1DFE7E414E8F2B8AF1023D45C07401B396075E0AEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:50.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33459CBBB11D3CAFBA02C0FB12B881B,SHA256=592EBB59DBFC9968D0F45DB1208DE89AC5DD0B79F555744653D46522E052CC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:51.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E720FE939EC11F2DC78B01D912F4B84,SHA256=62DB1CF48F22FF9675BDFEB26FBD5BCB63B6E4F367447B5276E3D541EEB5EDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:49.916{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:51.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC782926ED3696E3AFCA622EF6DBEFA,SHA256=5CA1BE59E3ABD97E05B9C9B92D8D490E4F3A2E319FC71E1883978AE8C905444A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:52.558{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C867EE9ECF4E717E7BC89930C0584B,SHA256=A191D2D7269F53CF2536891BCBCDAA38865505256E47907EE6D35DA2F2ECED83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:52.692{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1DB15465AEE8A38B736CFA255C5A3C,SHA256=7DDEADB0BFF391DFC99D727C8767545C1A899430E683179370B1423033E1812F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:53.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCB6C3877224EF9262946886FD6926D,SHA256=9155E5029F564EB995C14FFC2A919B59966D83184679BE20F3F47E067203107A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:53.574{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5852460F54A5E5C80B9AB21520DDCE6B,SHA256=D23A9AB129079FCAE684D187A3359E42D987DC656FAA793A229508CB5E4733EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:49.613{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64370-false10.0.1.12-8000- 23542300x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:54.756{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBBDC04AE6B5BD1E60A83E7456FA0E,SHA256=FCA8E145E491ABF8E4B55C8B2C8E0C2DDBEC376D29FFC75248FADE1E45F31802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:54.605{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA3B0B5D8EF52EA5A333BAC548C4DA0,SHA256=4EC27C8BD9BE0457CB7AC43A9B0A17C36E0CB0C0CD9DCABB87BEE820AB1E80E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.858{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.857{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191450B689303EE27B9BA6B5F6E9C67F,SHA256=49DF829D664AE1BB0066374A3CCB00F41E115C34A6AAEEFF14ABDBC4D5AEB3F3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:47:55.652{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x2d321812) 23542300x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:55.621{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7684AA19A6CCE8D766CF3D4837585B90,SHA256=B73DF30FD1467E13E6FC856C7AB314B49620EA285A365AFD46F37133133C03FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.359{82A15F94-595B-6112-2408-00000000E501}64006828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.176{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:56.636{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D15D21D897A98B37D0F100AAC5B32F5,SHA256=D718FF8A12ED07DE54AE9FB5A0949A8965680993D48EAADD6550DFE54D0F7212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.790{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5173FD97BE9176999A42EEB241F0933D,SHA256=8639C39BEF344B535CE3AFB884CF067C663BF86682BF98BEE66EA5729723DD26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.357{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.356{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.356{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.354{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.221{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACDC744A0E9844BD1B90BF015133215,SHA256=54DF9D7E1F5539941662E9CB70EE1F47C0062D541ED4E229CD3537A87E08B62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.221{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C32C99E5EF3AE7CB26859A98B95DD7D7,SHA256=FC0F97FB90882CC76A97E5CBB49B1552FC66075E5E6E5C5FE1739CE961650F14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64371-false10.0.1.12-8000- 10341000x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.922{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.790{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FBAF55D4567FB54C43744470CA726F,SHA256=2BE9AC067015CC4FF38CC45757ACCB2C4B8444E362FB7B246B59314C5BDD2F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:57.652{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16872A6E46E9B417F2DA2B186237882B,SHA256=95743D568B189DB5F0F2CAE36AE84DCFB6CD8B201506F019CCBA94489BA098D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:54.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.559{82A15F94-595D-6112-2708-00000000E501}22881396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACDC744A0E9844BD1B90BF015133215,SHA256=54DF9D7E1F5539941662E9CB70EE1F47C0062D541ED4E229CD3537A87E08B62D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.374{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A29969731F24E7DE2D09AC6057D2B162,SHA256=1878801914BCD1458FEAD3AF21E65BF927BCA559D5E1647311D624D9AEABB290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.804{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DD1FF57C5A38C3B9A39D84F0B51D2F,SHA256=D1D7566F30A0AD7A8CE228BA1254A38B4283F2636516BE0A8A91C0A5A75F4439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:58.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F457E61A21A74C0A5C66FFB10FA110,SHA256=D9611342898EFAED1B77A2D2EF95546BA7A2204A8FB9D236C1EFA5A85ABD33F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.773{82A15F94-595E-6112-2908-00000000E501}67525676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.606{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.089{82A15F94-595D-6112-2808-00000000E501}41121476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:59.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE46C651BAC2312EA87C58F75E545F10,SHA256=144E7CCD0B1908D9FA21E04124354435BDCB7C9FD5D432D7A15CF5E02744EAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.819{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B082CDF1953DF9FBAC270942CC0926,SHA256=03F71827A918BC4EC618518AC179A5C449184621BE2319A68051FB803D2B3C89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.289{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:00.714{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A089C9EE58AE35FEDE5C66BF468B0F,SHA256=AF8AD7A809BB53D7FBE854B2D11E90A43EF88796875C9945ADEC8B62CA557714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.835{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A417D07C13DAFD1B9F26C279409E9F,SHA256=FFD04D83DD01A660E0CC781387DDE6A866CAFE59BF252AB2A70E95215D46E6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.304{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E086438EEE66FD5F92808020F3BA30CD,SHA256=181A0BA6659EC39D7FD48C725EBE538F865818DFFF604A149295542E942B12CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:01.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4F58538C8BE9FC50E3A650ADE8673,SHA256=31F9268F4E1ECB3365B35AF57E2A7089276A804BA370519D5CB3138E8D956049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:01.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DECBF858FAAEDECFE011AE4FA188A8E,SHA256=96E1E97735E12F223A5AD8F12D21D61B3534FD39F2DFD27717B53CFF4CCF9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:02.870{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FD6F5A0411D4802F2EBF5C5CBA8239,SHA256=3147F289620FC7FFB5A52A69294F89A704AC3FB012694BBF12D84EAB5A0D11D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:02.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2EB273F74DE479B488101072A2E758,SHA256=751CA8D73831397FB6DD61AD96BD0F9C8112A41285793F530BD00D97B233C7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:02.087{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B3BC8BC6F47F85518470CB7E4137F41,SHA256=877B52AFFE671FEB428EAF0C6644FDB10C821F4360D8A9D7FECD9F8C063F0F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:03.902{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C574E37B6481F1384A07A0FF5F215,SHA256=91E3B75B6ADF5DA62FAD43161B3D7C0728BF8101AF4171394AB122787AA9D9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.871{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.792{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8EE820628CB71485E91DAA050C10A4,SHA256=1F00459DED328F8E2821B2C0D26CD9A6FF37EF81D45EC3EC05B47E3BC4CC3C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:00.962{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:04.808{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517DAC4796C023A832C2D2690E34B47F,SHA256=38376CC81310D977AFB341C786C2CC9223E76B6AFD9355A0E637FA4FFC29475B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:04.950{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939FA5DF9000EE6185EA97AF696C6EF2,SHA256=7B22B1B399595821C8AA0276E6FD3E8FD744AD4875C93866EBCCC468670366A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.607{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64372-false10.0.1.12-8000- 23542300x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:05.824{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD6797A2F97B7FE74B6E646873ECC8B,SHA256=6ED87B817955FE9B83C2D8CE70BC48099F5E965AA49DCBFB8AD87049BC6B4159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:05.969{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A534E88577C76C6346663C802EBA44CC,SHA256=A72EF8423A61D946CE3BCA3B29681BECE7B9C140E3E155C6279477E7E5976540,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.634{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.984{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80344667AB3627DD20B1C44177FB201B,SHA256=157DEE540C575D2F988B4CE311BA015BE6550FBA67BC84449907DEAF44B6FCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:06.855{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1687D2EE789B781B31731DAB65AA3DBF,SHA256=C8CC71114A99E33D78A291DC75E0A290E569021746DC205B0876E46D1E923576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BD7FA40B79297B3574C99B9B11255B97,SHA256=961D0BDF4B954D5BA045833921592868C0841BF5A82568E663AA0C8513FB1FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C238A1E7587F0CE1F28B40B1D03EAD1D,SHA256=8E722437614C8948B4DD6C2277530ACEDBC09525A42DED749A974885CB820380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9BEACBEBFCD53351163C96AB1AF3D374,SHA256=2D3210142BE8669EFAD22430A016C629E273061010DB42807F36D9BAF3ACB435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=65137FF4488F61780E1D56097F25FB52,SHA256=E5208122276903DA564BE5468468476922B5FBAE5469C60C142F064818246C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=FB82EF422F6EBED7123C1840B59A7DCB,SHA256=8A3C4E03D3D487BD2094F544961A53C236B7DE1BE9E1FE9D0C96EC2181622612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0ACBDB44376CF3EA50285A9D59DA75CD,SHA256=C66E25CB89BBF2D9DBBA12818D8DDB11E8DB93D366C40290792961344FC5A458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=530887CFF316F480837C01A9A4D67F62,SHA256=EE94DECAC4E00FEDE35BC14DE780080BFB4A791D16FC2AF6B39D8BFABCB92037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:07.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740279CF0A507C41F309155540AA469A,SHA256=A5DDCBF6844B6493435BAE42F568875EB0AD4ED18EB84961D26EBC08B92A54D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:08.906{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14720E659BED6942E81143CCCF81F6F5,SHA256=0E2BF32C4342BB728868DB2DED4CC425CFECB8EE15EB298E5C0C314693A2D899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:08.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F340C2F3A55E9C713FC48A6CD2FE4F,SHA256=9B551DCA723A29E02894E0AE9F31217B26B85870DC98D07157AD35495186B4A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:06.962{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:09.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66047D54A2D7D6E16A0C2339BBFEE55,SHA256=127F31F7B3969A389DA47174A55E1A87C6BA2943F3F541FD9095028993FDED6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64373-false10.0.1.12-8000- 23542300x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:09.016{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F69054FFE57E3AA707DE1D626AA223,SHA256=EADCE13180617006222BAD75600A1D5EBBA14A7D3CC2B44A2A41B3E2BBC2310B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:10.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4EE7C5B5B2347DB8EF7233ACCF9B6A,SHA256=6F33D558F4D2ED7EC842F6A9A4CD97370243343C145CF60BD54B31E842C07E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:10.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC758F9CC1A120D9B068E07E7CE6027,SHA256=D62800DA2E512C59355BF793C82DE938B5A20AD25AA84501D13218F9B9AF29DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:11.968{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD2FD457DBF9F63925A97148198DB2F,SHA256=CEA710D554163A9CDC3B3DDC405E370354C4A8AC43B24EF64B48D73C9B6FDEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:11.049{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121C2EBE98AEEC44DD0591C303FBD9B6,SHA256=C4CDC16D7672ED3C0F3D69CE5D4735D48A19466C42B9DE91FC24F082719C2178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:12.984{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFAB7310D3CBEF01E5E3FB2D99688BD,SHA256=129224AD4690CB5358CE323AE5705E76C4FE4EF3F2D35871ABAEEA7CE4717A8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF90060e.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377481D3098AF0DF653DA26AAA7955C6,SHA256=98421698B09B819A9BA15883347DCE248425AF33690FF6D3AE63DCFEF0405A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:13.151{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09C885180569303B48E878C4E150227,SHA256=2493C4FF03D2C6067BE5476B15F571BFA1A3D8522309DAA151517E949C8C2FE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.610{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:11.998{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:14.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D52945BC522C717390DD488AAA58A4,SHA256=DD5DE3DE9C06A9A58CD9DE42A44F190AF0816738FBA7D37D84632BE845F297CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.891{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1230BE57AD57DF3310B68EDC33B68,SHA256=2695FB8FF49EFF9E3F822019443C7B671FE3F08BC9F2D2205BE609F762E42667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=511F513EC19611CB16B99F537641B662,SHA256=2973E9FC50B2CE9C3627A36E3328E8A9A33CFC5CAFE8B6975A6186760034B174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.797{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DFAD3E559B30D281690112712D977D74,SHA256=DBBE5884FC695A255FB942E696BEC3B9DA704EBDCD1756732B3C19255735EE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.236{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.000{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26B5D593B164118C1753664A6289D12,SHA256=F6D0AEF09AA801E51B6CFB6F8FE2823A2676470B26847AB30C6DBB7C72081472,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.637{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64374-false10.0.1.12-8000- 23542300x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:15.202{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3DE0954C6FF569AF5856B0B50A7A76,SHA256=2C5F35FA0A5E1317C8EEF0AC06974E136D7A863FFE5E21525DA9F59A64EAC38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1230BE57AD57DF3310B68EDC33B68,SHA256=2695FB8FF49EFF9E3F822019443C7B671FE3F08BC9F2D2205BE609F762E42667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.923{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.125{82855F7C-596E-6112-9E06-00000000E601}2960628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.109{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A758153965B2A9661F6F12D4ADFF8F3,SHA256=E4808D535C1CE67D89F740475E6C0B0032898E5FF71EAE8B7F429A47750B55D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=EBEBF73258EA013D47E8E535B0091058,SHA256=8601A178E71180D9D1898D31E9721A887C21C8078B6F6576F43B0B19A8F86D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6F75C643AE53ADA4AD8C5B37930172F5,SHA256=CA6DE73D4CE55AA711E17FD4ACE3A896797B20FCCB36A080B26351942108C983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0A5F88D02ACB5C3B7310E0E0B22D9052,SHA256=3313F455A97049C797354E4A8273EFC31260BE4876FE8FC4CE956CFE7009ECF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.653{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=209F45EC4223FEAC308A5CFBF5E32CBD,SHA256=EAEEB75AA2B026773F23FE36BCA19B13144FEB26C533E81EFC2218FE9D1ABDC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.651{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3EF9F07C7D22A8D6F9EE6B612AB9C975,SHA256=1D9836B46BAA8F0C49C4EBB56909193C01FE2C4EE4299D1C2CB5B7E8601B9F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.650{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=63234B9DFD2BA2D64CA39F1FDDF1799F,SHA256=176A26EA6C29BDAE3EBE6115B36F4458C35722777BD5E2143D8A106A584C2F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.649{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2D255B5E5EEC144BFADC1C5ED192990B,SHA256=62FB3F4A98A8A73C894D2C41525DD87AAC1F10DA3CACA3BCE46928698E9F883C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.217{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE7AD77BC9F86A57B926E6730521A6C,SHA256=E7D50153FD9C123F4556FB327AE2A81D598864648CB58BF042320A77B983B144,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.611{82855F7C-5970-6112-A006-00000000E601}25961712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.141{82855F7C-596F-6112-9F06-00000000E601}26363528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.125{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3C2F205E78317976F342C38234F113,SHA256=947581B8CD1C6DFA40A0A63CC924EE39EB8C314EC41E29CA91E127A007177D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.766{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.437{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82AE32AE1D4C31581572C51AFA3623CE,SHA256=CB369F9DAF6CD7D17CC737F238BEC166A4811B5D7FB6989FF3CC7A74AC03BF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.390{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7F0D48F738525ED564536BCF6EA212,SHA256=4005961DBC6E756C9DECC47BE4DC9FF5A1E9CA3CF081533CBB4A8DFE18695BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.234{82855F7C-5971-6112-A106-00000000E601}2644488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:17.232{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF15943C51F04A419AE8CC1DEA134AD,SHA256=6D6B2BCA9CF779488FB278F933E4CE0176D3B1401582A6ADC69D1621720C3E9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.094{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.568{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.21.155844561C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:48:18.515{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.21.155844561C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.249{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B86BE9E500972D534667782D73718A0,SHA256=7801D573509B92BEC25E2A390786BFE60071F2E18D3CC8FF13B55744824F5592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.781{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F323A4C7C546E9A0D0D998B887EFAAC,SHA256=E587E82134A7B8C58DA91A07D825C185F5C03C41174361036C6A25437902A7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DCB7DD48605B0EE4949964E926DCF9,SHA256=36A62725469E3E4EC3743548D0BD18A90A88EB0E8F08D4991A388B5EB0AE44BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:19.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AE12186CC56260161905C51F150249,SHA256=DA1D3B3E9B01DB889690DFD37909065E7B28FC3936D8D1823402CB2F2CED68E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.013{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:19.297{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820417A7A5B7A56A1225258685FA89BB,SHA256=0B756BDC0D49BF8689ACD04143D56D0CF943A22282209715F672BF1FB5720FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:20.328{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A83554A19FFE784F4D1A194D9F506B3,SHA256=3CDC2CF7B5A32D0D6ABAE46D781EA1DFB29DF901941C9F2AD6E97C34DCD5218C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:20.283{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF7DD43E0E526CABE50E8B6BBCBEE00,SHA256=372CADC3399A1BEF4324296021E85BBEC5BB1A3FF571AA2D9084C872AF572781,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:48:20.045{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x3bbc34df) 23542300x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:21.343{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1863CC01E8FFD21540A1AE1CC81538E2,SHA256=8BD59E84D58217A47CD3833D65CA82B91D7CACAB27881F07B357DA471FD413BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:19.464{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64375-false10.0.1.12-8000- 23542300x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:21.284{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C7FDC1D19170206D77C635842832B9,SHA256=61ECB0CBB03FD4BC8E15F8F28331951F4884AB3A99223C02D1636B8574E4D235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:22.299{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9AAC08C46F5C632060004770A8B1A6,SHA256=0C2BE6ABF8B2ECBA3064AE66EFF12D974DD77831049F7726396A83665595BDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:22.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053E0A60CCF9ABF2A4D0665DC6A909DA,SHA256=3CBC18F14320CD389EE4ED72FB767A0FEEA0EDFA1D1EB0E7D08CEA61FECD55A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:23.330{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FAB223BB356DCFB0D601E72C5CDA6D,SHA256=013362206E7CBF823269C960947076C16214803CA1AA1184F24BA2E372687946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:23.406{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0345BB625C1B1C10E239B1FD1A97EC83,SHA256=7D6BA7E15F856B6CB5C16BA6ECB80F7A2A5077E58563D2540E30B900D106573A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:24.348{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EDAEB08F811675F8DE8EA76D1B636C,SHA256=F9E2211DFE2E8DD81E028A0C91416B9389AB905FC421DFDD7BA7254F50B0650F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:24.422{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C7FC0510616CA099F4BBB7A5F6B6C3,SHA256=96FA5EF65C50F75D95F5E3ED70E9489AAF61D0F3F0026E0C65B04AE9D67CF520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:25.500{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9A2090240A3BD09E0A8BB3E653EEAC,SHA256=6BC65563A2623F7028EA9348081CA72286CDF9D398B4F1DED805775B84BD85C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:25.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4457DCADAF6BE480A745BDAC9E416CD,SHA256=6DA02B0F1BEBC3B7FAF95201BD7F8343F55494AE1F7857A0C41D6DEB47B4FF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:26.515{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC33021DB734F2823B72DE4C6D3E8145,SHA256=6937697BA7573D96C8AC5E4BC7DE2D43191AC8DD6B5A384CE5FE343B05271B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:26.414{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9909B9FC3EF4540F5C737E9EF21A91E,SHA256=6BB2587A7C13BCC7B00800E4EDA18D29B2909A73AB7EBC614D1B0919382598F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:23.935{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:24.583{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64376-false10.0.1.12-8000- 23542300x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:27.448{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D36884FD19EF6C515DC21031D48D7C4,SHA256=9BDB665467F170F513454DC91493120AACFBA6E1E45CD371A8DE294471DD0FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:27.609{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80A6CE88F2D4F79A829CAE78978BC39,SHA256=72B4FE2914606342F1475F85F9523CFF80114E1D7C43392A1E7D0CAB0C6C3BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:28.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEEDF5C971F33DC4864F16DA85FE9CD,SHA256=CCB988DC0946BFF46705A9D81872FCAE67E0D51B558DA825D2EE1A3D97C4CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:28.641{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C3432421FBC0BCD39C1F194F5C5D09,SHA256=6F24AAE1763E081CAA0DADB42B54BA3816FCB1F9861368816C24FD898FC53D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:29.657{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF393B24D335FFC6135D3914CCA3401,SHA256=24CD0DCFA6B9D2A4E0E25422444BF9A26A3DD04490FD6281541E992A73D8AD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:29.512{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160607FF97D6029C23FFA396EFBF022,SHA256=E892E8CE619FD6687ABB0EF10CFA9BE6FF12410471228930F379082F905D7F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:30.688{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D42685F5F267641C1B1C95D9A075DC,SHA256=E486D11DB2F0AD00CE1C5741832180EE8E9D35AF18F07E688698D105C2922E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:30.596{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:30.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F50E6EE6CA3A1B795CE74CDC381BD8,SHA256=0939571154D77793BEEBDD78BD84DDC7232C17F8D9B480774F76DBEFFC133F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:31.797{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7931F5E4500AE7DCE8EFC9E0AC4F837A,SHA256=C486F5A68E2E0B4337074C9FF736D2DBE7B4510EEEB641DCBFD54533CA81E3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:29.663{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64377-false10.0.1.12-8000- 23542300x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE4455FA1A5F1A9933DD3EEFEB821D,SHA256=8A6ACAE2B8C5F5D93EB53845A234D252B3537DE055374A65F15E74C4F35FED06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:28.967{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:32.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8D139A82322A22DF5DDCF0B6610361,SHA256=24B3878B2AE1F4DC9843EA038A1E61F5BBF1F03A09D1BA7E94E28904BB41E6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711B56D5FA5824E9843C510A546B2264,SHA256=E36B6402D256274626097020190EC7D453FDFD4B0BA9283594BA3CC63E56CEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B2A26F276B2D5326EF20689A254403C,SHA256=83335229736A7187EDD04E8E84BFA342A4E48A4531E133000002571FD48C3F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.595{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36585672498B6439331FF76DC56C9BA,SHA256=3F99937CE34F24BDA6A24A8DB2C7DCDE5A59188D4C7BA1C25CB87C97C7746334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:33.938{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AB69669286D0E3B0AFF9AF2D4307D,SHA256=843B171014DD2414ED2470D67F930368D9A173D8E9C0B63901E05B1C082B285F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:33.610{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1367CADBD2DA70B0FF84697C91A9DB92,SHA256=50870E2E073C5D0A80AD48C49A15E431BF300BF10589CD974AE10222D3DC1E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:33.510{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:34.953{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3BB33A3455EF7CF868D421F317F66C,SHA256=1167EE2C076801169E3F3AD5D25B28423CFF3197F8903027203AD57F75146F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.930{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64379-false10.0.1.12-8089- 23542300x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:34.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6465A4ABA78132CF792D6230367C899C,SHA256=2A5F97B853A2490FF74640138C87FD83D53E53BC00F9C659D6AE2FC6D530BCB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.362{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64378-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.362{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64378-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:35.969{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923EF4ADB949149D3C1CEA42B1E589B,SHA256=8ADB6D339AE4A7DE156048604B1A364F118D98F235701E6FDB2D01C25072C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:35.647{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229DE7E4DC6B150F8C5E643F11D8874,SHA256=6C2AE4CBC86D3B851E09BA96E92127135793389B296830891AA9D5FBFF172961,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:33.983{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:36.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571C460EA5E4895374B476C7A5FF25E1,SHA256=13CE041E16FD4F186489DA3023570BDB9EBC31D336ABA96F1FCBC154F643C09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:35.617{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64380-false10.0.1.12-8000- 23542300x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:37.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3414D3D2C064778D50F70599A0B629,SHA256=057738FBD9F65501278E0FB05097572E752C403CE26CBF3F955E3D7AED19E830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:37.000{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4AA407C7BFD38A2AEF91E1A6D04C21,SHA256=A71C705974856ED7BAA7EE9D6A39F8048B0B4CAF8DC8CF5F225866A78E9BF198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:38.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BC5156FB2597F52C7889BF91486625,SHA256=0EB9218669ADB45B66367A067C4731A32E4F0FEDC4A944800FC5059409E18E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:38.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9778784509DFF6F390D7658E7CD68B,SHA256=832A2E217191FBF64040191AC354F8A6D868E05F3E68FCB2D4DD2764A42EE572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:39.697{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CBC3CD86760E9887FB1263FADBB852,SHA256=30B1018ECD554176636FAB4C8EAC6342B8D2E1E2859417ED1FCB25E953AA8AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:39.063{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2673470A8DA077A30204F421D88D3690,SHA256=500F7F2DDD29B2D767440826152560D452F06D4830EA740A02DE8BEEA85FD8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:40.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8FF52136234670FE685BDD5303E751,SHA256=4341C81BFC60B23E94153DEF4C94D0E6BE9D076B7AA91DB6F10D3F5F3A4D22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:40.078{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878D003868016DF70783CCD01339F2A4,SHA256=3BA357BA999D90F192D2001EE8DCB994DB107A41728A2B65B0B0597F30B49295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:41.766{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546526111B0A543B3388B213CDD5DC0C,SHA256=53DE3A8EDCD20FAC4BE96F9FFF7B031ACE7FBCE013EFA176406FA451FBE361AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:39.826{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:41.141{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4E741DC2DA523EEF99AF608650766,SHA256=D3EF637AEB633A833E683608909BDD9F654074A5D2AA865F327558BC3FE44286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:42.781{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64E3B38D9708CF2F7E76C59DD10AC6F,SHA256=0BD4F61475508D65CA2B85668F8D787040A1B3DD9C27C8E27D354D9BE3139EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:42.172{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAB3696050CFA3934BF9AD4A67FFE06,SHA256=9A664C998549AC220AB0C60A96B2F537085661D6EAA7790DCC658DDB88A94AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:43.781{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC5F9DE06771DF210B61241F047B31,SHA256=6CDF64674F625FB9D7D0DFFE3B03E6BA8D9936F43B6ACD4DE83A1F89CE9717B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:43.188{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E81981265A96B65A1DD2B0E1B02A89,SHA256=98D3EA689C6807CB7511FB621A37C964F7568DF666938696FC7DC342ABFDC90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:44.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E15AE88F2304AC7E9E3A40D72EAA7D1,SHA256=B62E7320B81970324DAC2CF0372C3C7ED7EA6982543DB3522A7C47C1308440C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:44.189{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD64C50894175873938D84A5F5571BF,SHA256=D2235375E7B6848FF18030D601ABE525371899321E8412BFE84A4843D457EDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:41.547{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64381-false10.0.1.12-8000- 23542300x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:45.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7785837EBAA4C0272912D39DFC883D70,SHA256=FF384DE1B18D32A4ECEFBFA19E53106067DA48C506808A03F06AC9B28CE8380F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:48:45.436{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x4ade7b71) 23542300x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D20F69BA2234D9895F852FF2E914420,SHA256=92C18F6269531767411E9D91A2BFD87CB2DA502A9509E3B7578AFA1AC8087C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:46.827{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5543364200C613E5F11D6452E7E85BEB,SHA256=9DDF6000146652DD3D46D48FF6C3C6044A291F4C1AC2BC07187D8776E3A01B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.199{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.199{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 354300x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.043{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:46.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D2FED5084E0695249BC5D7606AFD0,SHA256=BC696EF646E5837CD743ED4420A60BDD7109CA437B8056E47D5A1542F029224E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:47.831{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B312038835E0EDAE177427D3E17FDC0,SHA256=596413200B513AB6CBAB0DCEC5B92408D5002EE8F68D667D965ED1AEFF9D888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:47.266{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31CB663AF0F2B1E05CB0A89B2D7A49,SHA256=2B6D3889AEA5B10E0ECCA1773F06DAB164912D006AC4114EB32E3037FF149E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:44.858{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:48.848{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F442CE6B80C15725E9DA2699E25669,SHA256=76208487FFA44662FA386BDA12CF8670DD0CC6897ADA1374D2A6BA4A429ABA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:48.299{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0876A27AD6E546A7C0962127BCEABB43,SHA256=4E20CDA288072E792FE216E74E19FAE08FDA7DDCE119C8C214B39B0910ADAB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.898{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2052B31C45F56147E75D0AE57123AE23,SHA256=75D5FC77246BBB452BB8E185A767D69BCA82AA10B01D62F73F07EB28D4074F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:49.330{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0BA136E7E633DA0470EDB88CF9401,SHA256=DFD889F0F6094500F8F3F64FA1A1532088FB56808DFE08822ED6293153E05D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:50.916{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FD692BE73CA52FCC01806A3E7CE531,SHA256=2FF00C005C2B5AD15532CFE2E4595A8DF374BFBD1F69AEFE125DD311132B0853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:50.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFE360DBCAC3BABBE038EE38897B8B7,SHA256=DA0CB7AE9D514B00EBBE7A43CE6191F0C7FF9884549947B1630B0C4FB2749658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:50.182{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF9098f7.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:47.485{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64382-false10.0.1.12-8000- 23542300x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:51.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34374E98E5FECAB0C9FAA87C008058,SHA256=ADED4F03073A60EDB615F0EDA437C4AB2FAFE15543FEF444EE952C02D6638558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.588{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=EA9917F106535044892A53D020DEA69B,SHA256=B884E2E1B384D63675F89682AA711C8D7ABD03E7DB36A4A828B8B4176B1E5E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=66561B176F3D771822FA797FA805CF55,SHA256=22C728F77523AB53FDAC3855574B4EFC1250DFC60839A9989D571D3D9DF75D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=C4CAC042AD9762632CF30D1A71660493,SHA256=D1AC36DE5E6EBCCE0219D37EA8ED90D73DA4BF7079E6DB379FEB4BA1199AA7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9EAA0F97B27147E9FB572C769421BF36,SHA256=9E29E7FE913780E33F45ADB2CD9D03C4E782D5DA5E57AE9287BF71BEA703BA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=4DE8E1E1C8454403D83A7BE097FE6F9C,SHA256=306C95270C13F9C4679D9A183DAB5B03C0EB2DAC3CCEBDB21637A5F131087067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=92CDD5E61BC9769EF07B364B474B8EA9,SHA256=40C50D1F510E5C933F6DF90364FA2C945B68E36B3599CC5D7EA9BC3459E27902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=839CC6889CF025B44D33913D41A30485,SHA256=736E83909AFCFA5EEEC5A4AF615BE9CCD72907B7D847EEABFDC72F91462AB0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=42A822B6BB1626FF5F9E08C849C10E47,SHA256=47CE6F8CD7DB698A68E79C3E282E3A73567AB4836955F5DD12C1F0B30B03F825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=5D5C1B661B041EE63DBCDC648DA95D66,SHA256=02F9BE363D83A2C1E9A56233EE16EFAC6524E9C80E5934715A3B10ECB01978A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=8B0A0C062D7AEEFD9CC54621DF25CDDF,SHA256=9F3386944CDCC4127AC2D2919C9CC00C0B433DA9D816A6E16829B77A0855D440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=328859C818E509DFEF0F70658C1F27CE,SHA256=F05E37360E431A1CD1DC31947D02250684ECD7F2A74B73A27721F67702911A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.556{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=DB942B781C203E3C754E5895B21F6B95,SHA256=0C5A481610C99BB5C596242EC54098A9CDC2DC7D7DF2C62DEF9D6DB60CA99BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2E4D151E3D6B3EC5BD6998A5E8234EDE,SHA256=0BA699A9AEC1A592EDD80CAF11940340D979B26425857C02DD09A5718607370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=17E86566A298735D211D62D9A2A52AD1,SHA256=01C9E799CC6EE5B87B298A0FE32F28AF55944B50491F740723DD2E013DA1A242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=C6A40794C6C005C6EA63536CAB32C6D3,SHA256=C586C8D85498A5B2266619114BDEBD4B8A50F46FF900198FAA2CAF5D35A25A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=F65ED2309BEEB639968C7622DE89B138,SHA256=E416140EA8A4E8046BB7D347051AFFF456D6A8CB347F4310EB0DC669350B6CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=57BBF9FC9539018C50B7371CA64D421E,SHA256=E5F404CF9911985194825518222A285B21B6A2A5702C0361360EFCB24286827D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.488{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=55BBFDEE7D751466E71A387FA137103E,SHA256=C468619F4F5F0FA54A92ECAE8637662D7E2417F0E7556C72252B83B4EDB74210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.488{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=28233730802D51CDBFC58AF9E125BBA8,SHA256=CB410F27D417DEB64E4183F6B3896BBDE3588EDD0D8C68B5B7CEFF7A83574606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=B0D75A1A685F4D099326DDB449BB9112,SHA256=DF0B35FB913B4DA13BDEE5164066EEF2F3AEDD529751FA02EE10D3C9AF042D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=5CDFF64ECFA96293CEC446FBB9ED05AD,SHA256=DB5C943BF21572DDC47280697B8D12DCB7E28EE7366F29BCBC7FC6A4A37A6279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F3CA7BD9B1554B31CAA66255B8DC476A,SHA256=3D6253F4ED13AAD2C51222A9053555CA8B9454E5F8E5281449AA5CDBC7CC749E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=C193F500A6858A2FF10F939216622299,SHA256=87B49EDA26BD4F6DAE04D8DEFD14473B40FAC5703BA3C43DB1269239E03C7330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=5D9D7830400881CAEE755851F1C08D73,SHA256=98B0A25DE6BDF7C982C61BA616E967524E19644464ACA0EB2E406A18044BBFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BFFB8F4198AFFCE5F3D7A719B778E2B7,SHA256=D789DF00295F639C447D61F2705929AE3D362745B97E8B5CE7A8225B63162B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=F922446B2E6BCAB9EBD504A6477529F7,SHA256=34DD5186F2E7DAC18D69098AA66C0D115D8AD8DA465CD803A7AEC3FC1C3DFCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=9672DF7A0F0A2922DCCB0397E6D11B01,SHA256=BE501A6B9B613BD536B9E70AB0EEA9F324FDF0FEAB570700A5E22B79468F45E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=E09CF07E8EB9286004F5C008C0497474,SHA256=30FBCC82FE601CFA48472687B9FDEECD88DFFA9D201FD3AE2EEE1EF178F6FFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=6E86D26A7650DEC0D59940F9A3B814F6,SHA256=82714B1C82C4F36A0EFDBC65E78253CA5CDE4ED42B80FEF6989FF565168C0147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.451{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=55BBFDEE7D751466E71A387FA137103E,SHA256=C468619F4F5F0FA54A92ECAE8637662D7E2417F0E7556C72252B83B4EDB74210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.434{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.372{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=C6A40794C6C005C6EA63536CAB32C6D3,SHA256=C586C8D85498A5B2266619114BDEBD4B8A50F46FF900198FAA2CAF5D35A25A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.356{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.356{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2E4D151E3D6B3EC5BD6998A5E8234EDE,SHA256=0BA699A9AEC1A592EDD80CAF11940340D979B26425857C02DD09A5718607370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.312{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:50.795{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:52.393{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5846F24093B6DF10E07D75057BED8BBE,SHA256=7F9A4E3224C03AAAA1B3C033FCBABF5660E459D6BE4C8C83A207C6E898811C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.627{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64383-false216.58.212.138ams15s21-in-f10.1e100.net443https 354300x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.626{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local56653- 354300x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.624{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local63035- 23542300x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A489DE713E0B68D7DEF753603C7C7F6D,SHA256=8AAD8936A36DAD0609F33BB1D2F129A412A0E0941CE491289E55FED3904049D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.103{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:53.424{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA81E20332E2AADFE6C6E0290A6BF5E,SHA256=286B95C05ABE9A92512D916A9640818106AC339C658A22EF6598BFE28C8FEF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:53.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CCE40742E8E082467F82D37C4A836A,SHA256=F177DDDAEFCF647C002DFF1EFDED8303291E388E26800EFBC07EEFEB587DE539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:54.440{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D280169A7EDD40335714D77EBA25DAC4,SHA256=02FC78CC9E7335456306F48E0F59E8C7B5DC3DB76B2C44081AD0E9A7EC09E157,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.606{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64384-false10.0.1.12-8000- 354300x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.754{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53579- 23542300x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:54.133{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C748A40D14EDDD3842BEE5DA98FF879,SHA256=1998F496C425C796A2AC3AAA4A0E8C1D824457FDCC515E65620AF151F15D4947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:55.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D641FE8A6D18AD11937F9A10C6FCF4E4,SHA256=1A6C488834940CBF2060D1637822E72DF1A768F8FCF592689DDCAA55B24AC648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.369{82A15F94-5997-6112-2B08-00000000E501}11445852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.186{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.150{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181D619F562ED87EBFB8AD7319016B08,SHA256=67788728E77811723A17285EB042B4C4763F4EDBC0A62F1B1EF0563227004325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:56.533{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8E2941AFA28B6097DFEF9FF7713170,SHA256=AB5662983BAB6F593ABEA4D85D8FE4FE9D68082E8F0E49F83B87BC128B9627FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.551{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.548{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.548{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326CAA69A00A8194DA53E9B9E4A0C702,SHA256=F76AEE35BC6C1E9F2E62EA7A929344C27D9C108F9F5869C74EBE824922822A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711B56D5FA5824E9843C510A546B2264,SHA256=E36B6402D256274626097020190EC7D453FDFD4B0BA9283594BA3CC63E56CEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521282DFF60DAE741D3DCDED81418D4E,SHA256=F7DB151D9A0BC1698116017B65B549A324893F49C94F040BB055E75DCB2B0F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.968{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.583{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326CAA69A00A8194DA53E9B9E4A0C702,SHA256=F76AEE35BC6C1E9F2E62EA7A929344C27D9C108F9F5869C74EBE824922822A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.449{82A15F94-5999-6112-2E08-00000000E501}44326656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.285{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE71AC0D7B1F47AAF8FB617A9ACE9F94,SHA256=A01FB307F72BF23A10BA0454BADB77FC7E2FFC5CEF97F074EBC3E584E4A8D87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:55.951{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:57.549{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EB964026E330FB49C19355AB808968,SHA256=14D5877D9A8629C78B0CFC78BD96E520289B8AD72AB3B153C768EB0E408A3E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:58.565{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790303BEB7599F135E127E430E842627,SHA256=A743261FCBD313A4B92A07E34158F40F19EEBCC9FAA7ECD8B5FF7F06C3E17EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.813{82A15F94-599A-6112-3008-00000000E501}43923928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.650{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.645{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.229{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AABCEB3B16D773396AB99017E89DE6C,SHA256=CB82995C866F758EE6FDB591E12D7E7C03AF2FAC2C88433E9C49EC84691D300D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.129{82A15F94-5999-6112-2F08-00000000E501}59885524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:59.612{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC458769349D26C4A4325237217EA4E,SHA256=0285B01EA92E6D768217AA99D040ECE4A3FB7D11B4B911EA78DE98469AA143FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.314{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.298{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D4996E9D22D0474F164987C91EB1F,SHA256=84AD7C92A752CC42EBF3C57DDA627C85B788DAE743104EA0E72CF46088F03C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9238D5C3B84FF347EDEBB491B9050D5,SHA256=7C3EC31008F8250BD945B48E7D94BD9FEF86E668CF25300D8D2FED846E6A76C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:00.658{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882B758FDA82806C55810E7D346A0F77,SHA256=8FD7A5564C7E4B958FBB8B22B5ED4E71E182CB8CB527326FB92D1EE6424128E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.564{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64385-false10.0.1.12-8000- 23542300x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:00.313{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB26E0E53AD00A9C0D9951219B67E5F,SHA256=465E47BB7CF74770F44ED66D24754DC4121E778BED4BA1F2D46073CAF47681E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:00.313{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5951A9B20A7351FFB3CA5E5040BF76A9,SHA256=BE6BC37D0C54557787D26B06AC286F52CD721D03AD49D39EED74426E83B1CD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:01.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B897685291AF121AF37D8B6AC9B510,SHA256=534EF1CF095C4813718935362D78CA64057C50DFB9C38EDF248AAE9C2A24AF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:01.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D74B3B742A717A7AB249C193E0B2C9E,SHA256=7E295358E05014A707D9B04D5BA16F08C9EEBBAF2BAB25406FDD4046EBB2C05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:02.705{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA41B80B0D1FA8626E31617CB5810B3,SHA256=6434F09271EFE014BD524E2902FD590FBF1C50EE5D1A40A3824759FFE22A0A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:02.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4FDAD4FCE1C0F98961E396CB5F9B7C,SHA256=C2096A1D26598A7D8A04611CC929D3B96516024890B9B81F3E665D2C14FB03EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:02.096{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=84DE4D9FA430CD5E8407A30A59623BFF,SHA256=9FD7A3E9F2822A8455FCF1B59BB060833C3CFB76F8B91996199F817D09BE2F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.893{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2000FC2E38CE08FCB43E5C71B718496F,SHA256=B7DA918D6C85179169D7B446117DE1E2259196104EA30BB6D1E696429D1A235F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:03.395{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27591593EE171778ECD5E3BE77F06A2C,SHA256=23E295C33F7DBC168AE2B2518E3F80B74059171A5E567F32B4DCC4E853E9CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:04.752{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09067756187B5AF7B68F5DC128F9570D,SHA256=0BA77A3E14318F8DBD0C6A7853AC6D0860BB50F3948AAF5D1B701C56947C74CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:04.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851F5D48CC7B383CC20ED5CBB6838B3E,SHA256=1A87FB146518236DD9F90344B63E5A772366C78B4CEC5859E76AA526FF6DD930,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:01.998{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:05.799{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A0BE48CDDB277AF9B2A06B2489754F,SHA256=7A792926E7D235A06F9E9A264D6ABC90C1AB1D3179B10C6DBB61653B96D5E916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:03.680{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64386-false10.0.1.12-8000- 23542300x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:05.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146E63426EC45AB1726C880EFB9F247,SHA256=50C27195D4CA7C4AB893D471EE9D92663B9151C2698A11C0FD7224730B8C7C2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.654{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:06.830{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C40FD23D651A418D8058B20CD58342,SHA256=CD862D0477E8189E7A59BDA415D1FAFADF2CE98370C1B559D80552F0C8652273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:06.493{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EADA65913E0B957594C0348682DCE5,SHA256=BA65C39B4357BD3358F831F01BA89BE268DDC951642BAD6626A267DD7B0759F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.508{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE07E64476D6C982A50C7588841A1D3,SHA256=5F0D9620D7D8E5E458C0D71D41A22D321F1DBDF1A1E2C6BC7DBD18E5684D741B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:07.862{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C888BBD1F875FEDBB8769973DBE74,SHA256=F41E89299841B75005AF9347D5003C5BD1C968BBDCB17FCDFDAB7A9F1197728F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:08.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2573810FAE2E3C1A2D11EDF58D46581B,SHA256=A6C1170B1500AF2920E065BCB0130BECAAA446F59EDE66FC8EC2ECFFF847E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:09.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E61C0E31A75BF88A3726D0CB7122B1,SHA256=CDE286D830D6C9AFD15565C5E803FF6410576FC0E05636BB870359D16F94A514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:09.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F2C74AB472EB4F637A4C20E964030D,SHA256=83FAAAD776D9F70E069D7114599CD64C773071459B849686528E767B645FEFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:07.982{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:10.944{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B559448E4CA9BBEC6E5031D072139CE0,SHA256=40E01501DE63895FC5B2EC65BE00654C8C7248198A52F9970B1E6FD248AD90D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:10.059{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA406B4E397FF43567A07383F26C291B,SHA256=5D98C01699D0F951D4006A7791AF118ED32E442DC371390FF235CB99D32B7724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:11.960{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE2AB258868BDB50ED541B959AED246,SHA256=AC3EAFF86DBC740FE30302D3B857957089D89AC275061BCFF873A5D0876EC597,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:09.494{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64387-false10.0.1.12-8000- 23542300x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:11.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB35D0187F0AB74EB187593BA7C45B6,SHA256=D7F98A4DF2751C6618FCEC65510A3551A832751955584D5978E71FA1A8258D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:12.975{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C319A5B248E031D72A284767DC129737,SHA256=DD2E6961D3B59494F1EAFB1FFA40C67999B3328ABE9BCC15A9A217036E7229D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:12.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E968E3B38BB1071EFF6F661A6B249D,SHA256=FC0C389C1A9C591871C047131411183E58E73F1A52E75F05E286B49B5E6E4AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.991{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F69CECF0BE5A03B890DF066DA7BDCB,SHA256=AC8301A360E3C2627A748B70FD5493E874FCE8D96AAA6EA018E3B3C178C6047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.188{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4632E4E1907A7BD6B42B410F2B91178A,SHA256=E5CDE5D680EBEB212B7E2B24606A5D034CF4C82FBE32B164DDB38023E38F4801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:14.203{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0F35BBFA7ED568398A43772E3C9E53,SHA256=D2AF11B183B5C247AB5F23E854A5D09A5A5DEA5F3CBE55AA8DDF574AF61E876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.803{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=13C69FF8027589CDCBEBFAB95D7A8769,SHA256=0601FF22B9E1B61FBDCE87CC897EC148A65D27137D034E6F5EBDA8850026D2B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.789{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839A4749659AACCD53D6F6BCCC8EEDDE,SHA256=1FCD4D4CEF7C4B12E255B3BEC3F0EAD7D1F9522892FA1F00D162972415556C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F22CFFA1879FE5A5FD256BB8B284067,SHA256=2FD514FD0C2ABE0C02A0323CFE41EB7B9E86F7C4F3EB3826392E29CE3F633BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.304{82855F7C-59AA-6112-A406-00000000E601}20921964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.241{82855F7C-3680-6112-0B00-00000000E601}612328C:\Windows\system32\lsass.exe{82855F7C-367E-6112-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\FlagsDWORD (0x00000002) 13241300x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\TtlDWORD (0x000004b0) 13241300x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\SentPriUpdateToIpBinary Data 13241300x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\SentUpdateToIpBinary Data 13241300x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\DnsServersBinary Data 13241300x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\HostAddrsBinary Data 13241300x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\PrimaryDomainNameattackrange.local 13241300x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\AdapterDomainName(Empty) 13241300x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\Hostnamewin-host-456 13241300x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\AddressTypeDWORD (0x00000000) 13241300x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseTerminatesTimeDWORD (0x611267ba) 13241300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\T2DWORD (0x611265f8) 13241300x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\T1DWORD (0x611260b2) 13241300x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseObtainedTimeDWORD (0x611259aa) 13241300x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseDWORD (0x00000e10) 13241300x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpServer10.0.1.1 13241300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpSubnetMask255.255.255.0 13241300x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpIPAddress10.0.1.15 13241300x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.255{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90044536C08685A2C871EAE43E83992A,SHA256=44BD67EC87CD39872AC0260155DABB1EE354E66EC418E64DC7EB856E9E4B6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.255{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA83C3950EF0193B94277FC193C6AD1E,SHA256=218AB59F9A26AE1E841F5E8CE51247DCE9CD287295311DAE21742691C8BF2F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD26F9125BEE7BAB6ADB47158E991E37,SHA256=882C180CDF9B193940038CC5BBDAD65330B0E940E3FB9E5B1299CA53CEAF4979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.805{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839A4749659AACCD53D6F6BCCC8EEDDE,SHA256=1FCD4D4CEF7C4B12E255B3BEC3F0EAD7D1F9522892FA1F00D162972415556C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.859{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-456.attackrange.local56587-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9860:b621:8e9d:ffff-56587-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9860:b621:8e9d:ffff-54687-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3c49:c8d9:2d5a:968bwin-host-456.attackrange.local54687-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.846{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.147{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD51C2BEE3F78978EAB714D7324B48,SHA256=FD4CE1EFB90596870A087E8CB25956FCD6C1875B363A1FB3510BD8623E296401,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.386{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\AlternateServices.txt2021-08-10 08:54:16.121 23542300x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.386{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\AlternateServices.txtMD5=A78ED05A3F8E3086308C4E0764C13D94,SHA256=7C01E3AFD66A08A1C4D1012413855A9D76C70C22225D74C4E6117C12EC691857,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.286{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.286{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=DC31534336A68FF5E46137BC045CE661,SHA256=22EBB7C963134ECC8A31A223FCE2BA761740AFED96A4DCB032A29745B2B4939D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51899826EC10CC25504925485E7882B2,SHA256=FCD1C57C08C3FAD8B935C01A7523488C3256DC13ECA0DBA23826BAB470F93404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.758{82855F7C-59AC-6112-A706-00000000E601}32041892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.021{82855F7C-367E-6112-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51532-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.893{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.149{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242579231181065A86B4D29A64B8EE7A,SHA256=E628627D5FC7E3B3C25681532867318154BB2929ED2F9E7814CD895CEA7110AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.679{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51532-false10.0.1.14win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.517{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54313- 354300x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.516{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56587- 10341000x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.117{82855F7C-59AB-6112-A606-00000000E601}10202208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:17.285{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95947FDA6A85862827C0A40D73477CCD,SHA256=CF844B5934FF6004EC2F61AC877B7431CC6CD7EF5F45A037B4BE58E08A2B7B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.946{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.274{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDB4EE79411A74B2553D88B73C1976,SHA256=AE3B52D2A7705F5C52988313CE018D9EB44FEA04CF0FA8DBBD5B2A651B673697,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:14.569{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64388-false10.0.1.12-8000- 23542300x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.164{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D7CA66925FF2855389DD5EE43D12D1,SHA256=F092F4DEB54C3FB1937DE742E0754EFD69E5861F536FC294DE23AB8AE7FAD2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20B572C0F33C8D5A33B5116304B2ACC,SHA256=B9086AED079987075DAD24B87871111EDA72E0BE34056FEC93DED6CCB4CA053D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4689389E474D1AE4D6221D052DDEB148,SHA256=54AA1BBA3FA23E2A755FEBD393E287A14EE462D6135E3FF3F1584E1D46002782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.584{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.59.8555027C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:49:18.553{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.59.8555027C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.315{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58224644AE924EA2C77D0050B1B02399,SHA256=9AEF3786526CD5F9158DF50FBD42A2E42E534A424444FC76D4B4C959EAD757AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.117{82855F7C-59AD-6112-A906-00000000E601}24681172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:19.820{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932C784531464B35C4DF0B0282436257,SHA256=0C90B7E7D83D7276EEFDC558F97734224996CEDD8EAE7076FC3CD67833689BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:19.334{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEF078CF65F5448E6A515EB9989046C,SHA256=9712FC1B3658168AC540415A133C92057A07EE4C9FEAF0FAB5D2B5193D739E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:19.035{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:20.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1A2E6B9D23A3C9AA072A54EBA0F1A,SHA256=30F04F54D68EFC05D61E4E8E70631F68AD0CA92793D297FC8B0D07E869932F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:20.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6AED060F378F95EFA72B5E1380CA1D,SHA256=34E0800F3758BB179961EA172BD26979541E9992E5B960180FF51213BBFDA870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:21.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9FFEA08FFB8A9F9FD3E478CAD6292,SHA256=FE8AF8958237C0CF69D1DF26F8A86BD7214029AFDFA4DD5FE6AC1E81B750BAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:21.382{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FF38FBFFFD145C523DB7292B05DFB,SHA256=A4FE29E4245E583DAE8961F7D88234B702AC0A2863BB223C89E02EE1F68128AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:22.914{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B3EB38CB53410E52592ABDE382F863,SHA256=19972A74D89507E432AF4FE71EEA1013005CB47D1C6700BB4B5E2C0DBF53AFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:22.412{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAAF5CCF28938FE65DBA333CC75DFC8,SHA256=332B0DA86388763C94610C4439C0E6E2965E5D13A2D850D420AF3BFCD143BDE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:19.649{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64389-false10.0.1.12-8000- 23542300x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:23.930{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CD38A39FC43F51841C6E77E8B004FD,SHA256=7DB15320121E69497E5D39DAB783F87DA43023943D3A9D1361995E5BB0EE9D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:23.430{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B854059542CA99F3B4AE67905D336942,SHA256=F76336E14DE145D8E3B642D400813EADC7DECA96DF142B59253F3802C657578E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:24.945{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBFDB0935A119CE3F821E410E2C043,SHA256=7C0217E14813E7F3B67952BAEEE4E6BDF64EA9F3742B0CFAE016F8C75606EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:24.449{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5A600C8E8BB8103F3FE2116DAF0A2D,SHA256=1BA4A0AFC633F24041C8F3BB4892FFF3DF31368F468323031E9B257DD426344D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:25.992{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AAA099BC4B7E193D81DC6DB12ADAC,SHA256=94CE358AB3AB9782AFB97C0FC69BFDEEB0DACB255FAF0588A98D96A452309E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:25.479{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB16CB804AEC223A3E0BB7328444DA91,SHA256=6551107D80EA9DD43585A8836E697DD15CA6C981040676CEB76AD0E69789B7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.494{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B186D729E8E5465E307130AF89145F,SHA256=A80997E1BA285F96E3B9DE7601A69887B05ED324935140516EA26C913A55AD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE32F8252E6ED4BDC7745FEB21914BE,SHA256=5AD2D5088CAE88DEEE1CFD9D03274A6F4A4EC31ABBB5107FB572F19CCC52B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90044536C08685A2C871EAE43E83992A,SHA256=44BD67EC87CD39872AC0260155DABB1EE354E66EC418E64DC7EB856E9E4B6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:27.509{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4947B2A3CCD9E31B804605E2CD0A2242,SHA256=11A729BDC2D747231FC3BF11EF722951635401A93F25C24C4471FC6D0AC19514,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:24.941{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51534-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:27.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2716F6A12889C2EE64C5716C3B56779C,SHA256=2C6912DC534A54C29BF6704DC6146B4E7A34D3F6373BFB64ABC72E7C31D00693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:28.846{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7B2DEECC778244E048460A766F32A370,SHA256=168D15FA2FE5B43D816720B7F21D0FEDC68E1A280B705779305B27B5E6C48F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:28.509{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F90DC9858E88D54A19C82546051900,SHA256=49AF32720332CD47F3FA9D44FC7FEE7DE50D83D057D64DB65EA1AF73A1C305CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:28.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D94D378233F88D6CAC6369FF639579,SHA256=011E4B78C78DF3F5BDA1E7DEC516188C5FA3B99EF9809FD3F7D6B0802AB3F79E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:25.514{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64390-false10.0.1.12-8000- 13241300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00913343) 13241300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x033d4b59) 13241300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0x6501b359) 13241300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0xc6c61b59) 13241300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00913343) 13241300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x033d4b59) 13241300x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0x6501b359) 13241300x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0xc6c61b59) 23542300x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:29.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2714F36D0908B592FC66DF3E5B349D,SHA256=31BAC05AC6111B3DE0B545A89E6D687462344EE51E1B2722DB0096F01E8CB74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:29.112{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A58FD08CB34E1DE5718AEC92DDC5A44,SHA256=843C5E5960DE0FD8A0B333EBC9FCE0765A6454175F9BBD240B3F350F30F8FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.608{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.546{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51751275F7DC838435A79EB84BC0A40C,SHA256=35F55E14AB36DFCAB9F527DBCEDA4760E724544FBC61C8C8AB8D76120D477708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:30.159{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC334A295AC47E206B7EC8423159B62,SHA256=334B3E808BE0436236FF6D1197E3AA69FCD23ECF9134A7424205C458F5746A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E088CA9C17F89A9C6AEEB79F1B2889D4,SHA256=EB31925A2D145EFE513705736FE2708E815EC877EC62CC25A79A829821A1D496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:31.190{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFBD9D97A2C929DCB74B2C1B8496F,SHA256=3248074420BAD6EB657A5BB7BA1ABF965B125CF6CE1ABB32CC9897F6F6C96935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D8D918C4FFB2E34672E1F87A530E6,SHA256=62CB43AB7A738CBAABA84FED1A0527BCDF6BDEB598D91ECA5EB546EA4E6E1411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE32F8252E6ED4BDC7745FEB21914BE,SHA256=5AD2D5088CAE88DEEE1CFD9D03274A6F4A4EC31ABBB5107FB572F19CCC52B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9708F41C655B74F41DA694B6B7E5AC77,SHA256=4A6EE54B1992F96D5138C399241DB0BE99379D5A39FFA6504D304DE251184727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:32.191{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107521E16D44B841A75B93EA836831D5,SHA256=190CAF7D6403FA7AEA35548B5A480B0B9088622D7EE7E8BE76F7CD663C2B256D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:33.607{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3157BBD31236027BC73DD9356DA91E87,SHA256=3885B5874FA7724C2B12BEB0BA44CEC4FD8909333D81F71C10B9DEBA43488148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:33.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9C0C67E87F8BDFA92B192F65290E02,SHA256=FC7212C1F57CF364F7D85452D84DAD37BA2099DBB4436D3D553F8A1C6DF8E2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:33.544{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.381{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64392-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.381{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64392-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.628{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64391-false10.0.1.12-8000- 354300x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:30.842{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:34.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848D5DA637B84068E66C89B42BDCAB67,SHA256=D89E7198A8B25DEF8388B66FFAA80673366C6920810ED6B05221ABA0599016A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:34.253{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC217542712A3A9226E1BF47317DF807,SHA256=C5515F9506B48A62B484398BD01830E8AA4C6F5B6D9E4F4DFB39ED37CA90A489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:35.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F122AF0E4F88D3BB24E4096337D4E6C8,SHA256=E7C9D77521BB6B8ADCE1B87DBF82EAD50B09FBA1ED334A1885DAD4B0553EA13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:35.269{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E60BFE99EC8F3272B71D1A7BBA12F,SHA256=A5E891B0F25F26D44030980B2A749A5116D995D2213B4BA930FA4E781F0157B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.958{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64393-false10.0.1.12-8089- 23542300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:36.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB07B951CED8A89B954E627B7694F6,SHA256=E1FAB223E5C87E25911A1EFB3C818BA0B3DC65030E345C2814EB0F124661652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:36.284{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D922A92C93C8F0E85F155B0C78867A0,SHA256=4D7A60F39D16CF0E6C50EAEF287FAE1038555E5AFF9982051EFDF8F493083EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:37.726{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6495C709E4A629F01D12EED432AD00DA,SHA256=B1654FD2C0FE11706B3A62EB3B2CC844ADEF5C0A788F5B23BCEC88B2FFA0AC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:37.331{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E7C96E18DF02FCDB0D3EB5F5E9CAAD,SHA256=1891B35CC682890E926B609664E5ACEAB5645185646ACD206301D8450D57BE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:35.643{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64394-false10.0.1.12-8000- 23542300x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:38.362{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B1B4993EA9EC52FB40EC18F9E5B28F,SHA256=8D9A6329A7F511C45E3776A87F6314BEA0AED3DB173839BB3E438037E74DF383,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:35.952{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51536-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:38.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B6C94F85E78AF31CD77F09AAC93412,SHA256=7A2CAB1F2975F53FFBC53FCEB281AA1EF9B188D5E9306AE82BEFADA406757D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:39.409{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F00CA9992A5566F61C226D0EC83BFD,SHA256=8AC9D3BD2CC81DEE718BD4159C0D768E531F3EF7C4B54293D0B06DE255307407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:39.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BC91857DEEB1F922B10C2C6EF94BBC,SHA256=EF8CCB6CBB6E800EEA249FCDFE4037116A188420441E1B8B37C26B1667FDD127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:40.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762959E57B406EAAA844B1A7C6ABD96E,SHA256=ADED97BB21119AA21630545EDB4FC90FB8E4AAF94D87252096FC8929513DBDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:40.472{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8471A848559BE9620C8A50989B5229FE,SHA256=A918D6629803D9AD33B0B515A5A1485660B440F0F3324AB59657BA26BE6E6795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:41.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635D94959D36CEF5E4506E1801B4143,SHA256=6F2A3CD89F4A81ABDC04CE32E2EB890E987D73FFAEC43069A58A30DCD43DE344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:41.472{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA82E70B459232BCBD60236B2CB6E8ED,SHA256=4BA575C22FA5083F5DA70DB00F561B4D646B4CD6834224370B81E1A3CB3CC58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:42.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D9DBF2D8D2B75A3582E987E30EB4F7,SHA256=EBC1A0D7AABC92B423EC5CD783235330C44C16E23F141494096E806073C976D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:42.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FD6A83E62E53B7583F743D0690D4,SHA256=5ACCA03B0D4E4B4F5E4824EAF6474D7BD8F153AB692FDB085A545187CDB326D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:43.806{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1488ED48B5985F819325E8FE80DBCA85,SHA256=1604A3B04195F0FF2DBF9DBD033F92381146B3C22FF59A6F1C77C04D50BF30E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:43.519{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2351D2ED033A9E70FA25E54208615993,SHA256=54A8F4E70103A5CC98DE39A24B687DAF67BCF0F377EF536D92C9A616388443BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:41.920{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51537-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:44.534{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE0DAE390FF7510E79FAA9E5C423124,SHA256=214D40B0C52FF561B60A76FF9DDA22F7BB57043CE259034EF6E920DE97C7349C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:41.579{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64395-false10.0.1.12-8000- 23542300x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:45.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03997636F8F64FB336DFACFA49B9B23,SHA256=873B198C7C010A1EA7211F6B9B7EB54F635D22ED0EF56BCE2724CB13C00D449E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:45.005{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D8F5B69CDEE930E3239756FAFC503,SHA256=31A7F129E59BF0D00BF784476E78080EED833794D07F21F7BA7789F6F6A812D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:46.549{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4C0C2D67CFFEC85BDD468878550EA9,SHA256=32B3623363068522D03A23A5C4322848D82B0709476642F405C01EB25AE562C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:46.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8082A775089EC298C6709B52E96797,SHA256=3AB4B068910BE7D28829457DC2E745CFF39D77668CF05BFF6FE0F54D21107025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:47.595{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82FCB0923B92E74D7CBF81120882DF5,SHA256=87FE0DADCB7221AC3D73C1DA7A2B6B461E3F8260A7CAE363016E66FB9E8EC018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:47.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDFD317659921215B5258DA3B3FC8BE,SHA256=28363DF592AAF6134CD8611C9B3291CDD909A266F8F555CAFC02FA50BF279F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:48.675{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B391073888EF4A33A6E47C6FEAD8EE,SHA256=A65A5413434D67118EC8B60D661179B2F7BB0EC433E4A30885D9F08ED5D8CE4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:48.043{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7FF5DF204144F6EA43AE1C621370B,SHA256=61A204118FDA40A41F4D73498FF99EB18BEA6F56A93BC011C709FE34BF47EA98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:46.997{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51538-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:49.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D640777660890EC683A072989E5B1E73,SHA256=B0557D85B4871FF95BBAED314FB92A221403D9C6A052226E16343F1C2E60104B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:47.525{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64396-false10.0.1.12-8000- 23542300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:49.058{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89FA92FAE312A40A194C605D152558,SHA256=1D9FB4E5A8088EED8640C872835EEE4AA7B80E823C3A9602887D23C5237C68BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:50.707{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D8F6FC1583EB45F7E202E347B5F0C7,SHA256=7871A50FCA955794736BE174CA718E2ADDC6EAD015C016833510BA1B73AA8C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:50.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA3053E69A366A5E694B3C38B4426F4,SHA256=8C958FE01797E62B9A4656B9181C6337A839CB7FDEF03EC6D02AADCBC33F5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:51.723{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEA56487CF0C3932ED4826F6245411,SHA256=9B60A63C4025FC1A9DAA2E737FC9617418C4603E91528F73C4D2A1007324E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:51.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4D86F26F8B38EDEEEB9567257D9B4D,SHA256=B97D7F9F69E5F18B3FCCC3B8D66DBF48124DE325CD8ACCDEE2B1C69806FB55DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:52.738{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E1AA544B449AEF28D29F032ACA6B6,SHA256=5CD439877985294FDF54BAEF1B8C12FCC3A78950587CF53457794CA1D76C3D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:52.128{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1EED7766C1E1F0F9141E6A0E8B780B,SHA256=84DF51D33C6387CDAADF725D1111EB8894C38990E4E9DB370E3B1892AFB79F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:53.754{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9599710670AC0B2D65049163A1C54387,SHA256=C83687FD652BC0C84ACC91719C1FB8F1DDEF86B1B2C81E14822E456D9ADB116B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:53.161{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D9CAA5B25533121EF88C60F777A630,SHA256=B7653CACA5C484D06ACCA867B8F53CD9880ABAD69F8849E893855F5B5FFBE224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:53.030{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51539-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:54.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20566ED001C0C28B5F7A822E545EF557,SHA256=108D056669510A288C02EA855480C5866F2B0E7051BD31775D4F5BF532FECEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:54.163{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A915DA724F45E5660E05283463021B62,SHA256=E3B17757E191B90857BE63D242B410824A242E4102A45B208F9BF4A6ECEF62CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:55.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBE95B4B6B318572FE8555F3D49BD82,SHA256=A4E76C107D6E68AD54534FF7CF9AA635F5043328E7F1794639F06816B6CD9430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.862{82A15F94-59D3-6112-3308-00000000E501}32325004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:53.542{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64397-false10.0.1.12-8000- 10341000x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.708{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351FD53ABE1D4497BA77E30189A90D29,SHA256=4D37EAC30A5E18C5CC894A1ECD0568B28246419411B39FA1DBEC54A9524AD11A,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.193{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:56.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D67F98A3503A015FC41240FBBF9B30,SHA256=BC2E35214C3341C84213C426CA3820528BA859510C04AB9602C390B88AA49FCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.310{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DD87B73021C904CB8F5B1FEA64A0EE,SHA256=62C68A24FE6256F0F37FA543EA263EA1E53763BD79013B80E7BA7A20E37FE00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E3D096B3880F3C96E5FE80AC54F47,SHA256=7C0878A882EDB0CDDBE8297AB45477F1A4A0252BED9FD81DAFDF2D5B11D67D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D8D918C4FFB2E34672E1F87A530E6,SHA256=62CB43AB7A738CBAABA84FED1A0527BCDF6BDEB598D91ECA5EB546EA4E6E1411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:57.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADDB97A7197EDD563C4A7230F6BBDFB,SHA256=822E2AD313D810D6F9F7C8448875C1A681610F1C5E00E128B04ABB7B811DEE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.977{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.460{82A15F94-59D5-6112-3508-00000000E501}3322240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.326{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E3D096B3880F3C96E5FE80AC54F47,SHA256=7C0878A882EDB0CDDBE8297AB45477F1A4A0252BED9FD81DAFDF2D5B11D67D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.207{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E5CAA9AE020E866F196CB0F6EE5972,SHA256=291F847FFB24D888E84D913305F23E2ED201E572AAB9DD46E7133D4AE8A578D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:58.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023008BA586562269613C08CC8287BE9,SHA256=F916A3F1698A723B16C88A9BA7D25FAE1B643680DEF3EA314F84E76B96584BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.675{82A15F94-59D6-6112-3708-00000000E501}60405624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.528{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.527{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.525{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.525{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.229{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15ED1D2D09291CB1569A7B288B4AE18,SHA256=C98CB4E04580B4252AA2C1EFC2B89DEB36181E323148370D710DD9F51EE79893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.129{82A15F94-59D5-6112-3608-00000000E501}48845496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:59.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10998C80F8B9A7C1FBFEA9A6DC6AB6B4,SHA256=E069DAD9D85B5F66E6F81CA11ECA11514FBB229907557EF58009DD6342592030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.244{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB71BD2A10E42FC4F1B9F1E5E5AC2DAA,SHA256=47B8EE510DD476A5C15DA5774D2007FFBFDA24B2B9A657ED77FFDAAF6B2E3B11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:58.030{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51540-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.128{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.124{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B832C5F2A744F984697A77F3C0B13C6,SHA256=BD4B65B6B322137EDB1053583185AF67D5BF2D6BC8AF638A3EF1412DCCA98190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:00.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688ED9C85AA1979988F00AB614B7E0DC,SHA256=767D8BB85721DD5CCA94165264143E28733C4C39C22BD1F2A8FEBAC1FAEEC51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:00.275{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4605FDC249131DAA7BC0AC91AE1B5C66,SHA256=8185742FAE3380BF77AEB23D77030EC8F01C56A90788FC7D85422AF00DC09A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:00.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDBD36AFC1B80D78A87F7690A26B9807,SHA256=373E3F590A85C9663E71F45E0ECC79DFCB8AA47043582E9CA410F886616FD173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:01.863{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085EAB6BFFB57BFADF56706DD1D389F,SHA256=080F340B4C0AF6BF070425D3073CDF90F2C27BB162A1055A98065AA485A42705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:01.306{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C9F29F5BC846C7EA78F6307F86CB49,SHA256=C947D699712E8663FB326D4589D54DC7D148BA5AECDCC3E2EF575230DB128DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:02.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D457373E81291EF7712A946BDFBB76F4,SHA256=21CBE213C236A361CFB5C6EE27A4E57D595AC7ADE8CA9DFE5FE118FCB1E5798B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:02.324{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D10B7BD30EDC1D3F39A5DEBB83CAE45,SHA256=80000F37352CB4E1B5C0C320E023D7F333A806EE4033FB2B8BE8026A52541D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:02.106{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BD35730958A5406461D72819625DED5,SHA256=60C7BDC99C3A884C646E5A32D488AE36123E6DAEC0FD5F5318F4E5996632C9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.557{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64398-false10.0.1.12-8000- 23542300x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.910{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.894{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90FB6668434C0C11C528ABCFFB6F842,SHA256=FA90D6AE0C55C21F61E4098E1645C97F95647E5A44B55829ABF4E6E9A9052B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:03.342{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D05236D98524287CDA724D7C724BC0D,SHA256=3BF5F847F20A0D470CAAA860AF68EBC066CB70D59839030ACD58DF3F1837A6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:04.941{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351BCE467C300BD1B4E3D87B8301FEBD,SHA256=721DC7FFCE53D4B71110C1F1FE353E14D9F23534A5427D86061F238C553DCD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:04.373{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126B0D0D0BB1D699450A705CC8B82026,SHA256=FA56F661DB48392897DD35B590F9542333E35F38B54398BB215EDA1D58A18A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:05.957{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E593A6062CFF73D3C1E5A2E9F9F0C0E,SHA256=B38418618B568FC8EDFCEB03CE5B592901522D05F426774F5E32C0FF05AB2561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:05.388{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0A7B1B93ACD10ADA45E2909A3C19D4,SHA256=728E922C975BB6B3B1870104A68DEDD04C5AC6A843D8251A53187CB4A803E3D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.555{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.555{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.402{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAA43CA1A2A486CCFE3145860B6E005,SHA256=96A6999EA83C3977F85C4CDF4D8D565DE5F19F8B48597D29A0F3E9381E61F89E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.874{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51542-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.671{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51541-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:07.439{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01839AEB4D05D425226842C1F577425,SHA256=2D3346D56728AF6034927FE55E696FDCFA096E2707DDCA6B27C93FEBF323D84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:07.003{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC81BFF7CEC483BD7DD0897604F5323,SHA256=D1958EDF8A7C7A4945B759EF49902E461DE9E1383C490E3D5EEF87A0E908684A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:08.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5537D3465ADDE1027D0A208450063A66,SHA256=92B44A8177F7D4577647F101EF8023E5E85EDEDFCFE527A7DEDBCB2802279B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:08.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45AB8077EB9AFBD0A729DECE6B45C6A3,SHA256=A46C1D5D106E4490BF431578830BCA0A4E7421305BA2707FFC363D8157B88E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:08.113{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27392A52ABD41F7A364F9A08458A4A6,SHA256=E7E05412172B970B2F206118612E5A46FEAD54C4B90B94BA8E51527CFDC663B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:05.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64399-false10.0.1.12-8000- 23542300x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:09.500{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656FF3961E3E2C30EDC298A07F0005AC,SHA256=341251E36687962BD3DB550ED315E09000B2D20A57E27DF28CDB35A8D80AB4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:09.118{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124DA51564B752F610297A27F91E948,SHA256=0AC1DAD20C2139A505478AED085955967039AA1C11970D119E03C186BCB04AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:10.506{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFB4040D004F1263DE87184716EE2BB,SHA256=5BFC8D351984A1E8472257C294A714C66494FDC202D604E3EA18EFB673B4B554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:10.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91E866371F1F60CAC0E81120A37167A,SHA256=4D4CBAEB412B6F4F1E1A74487D39E46F918AE9DAE85CEBCEB152D4E7867695C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:11.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2172481C347934799D74ADE61D1C2985,SHA256=09338679A23ECAEE58A3FD7593485F314F281F736C386EF3793ABA17B9534C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:11.258{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108039D12523EDC29E04A95D8C1CAA96,SHA256=D86120C959D7BA29A23B17D95AC92BD692B786FC7117414EAE45A0F79222F0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:08.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51543-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF91dade.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE74583F7B7C8EAD8690D3CA551588FE,SHA256=B9B3081D98CEE14F7A4FC3E0D280E832EB8807DEB4D9248350A7353E16C3B0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:12.274{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D05C3CBF6042F6B09A595F76AB88E02,SHA256=38C57917330C390A52942D1529E5C00F132584DEA72BB3CC2A4D189ED8A7F23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:13.573{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DA85C8CFD16F7971E1CFCD042233C,SHA256=CD1A297FA6169A05538D889740849D14DF9CFEF9B64447BD12DE43EFA4DB155C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.899{82855F7C-59E5-6112-AA06-00000000E601}16563736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.650{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.290{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03C98BBD98146C0CF74AA0506CDF9A4,SHA256=F58AC5C76A60E4265F499DF28FB6EBE4026487F9A29607CD2ADA6731FB1DB76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:10.678{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64400-false10.0.1.12-8000- 10341000x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.805{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF4CCD03D8C1DBBAB5B179F3DA677B08,SHA256=A4EBE2D1A7A34248F6A9E12EF05FC22DB3A6D24BBDEE03080966D3EC883E0657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04103D3C91B8A73476FF004977CB6932,SHA256=6D477D7ED87485A2D00AD585734C3989A301C354AE7F569ADB0AD24ECFFC6C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C04D212E250E85944C43DEC11946E67,SHA256=7BC9FD3A8FC71C30DC55580682F35C0B1EC88271473F3499300BC2C5B08D04A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.461{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD43619AE29494ABED9886B14C55BCA,SHA256=DB503CAC6B2C889E62DC022442F30FC262AF2032E53B104C6B4B87CD24D0941F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:14.588{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107677BF35FE1D90F9B093EC8B22A842,SHA256=6ABA22455D87967D75F36BF9B9C39B60804E7B7E39C975887EA3EBD831AA41AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.150{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:15.642{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9356F0608F16C081BD7E1C087B08A308,SHA256=9C7E025AB217846CD065F9862AE2A4B2BAF75F85381E5109A159A1E9C946EAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.931{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04103D3C91B8A73476FF004977CB6932,SHA256=6D477D7ED87485A2D00AD585734C3989A301C354AE7F569ADB0AD24ECFFC6C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00CED057FE4C6D4AFD2BC7D42AFF88,SHA256=3A143AC697376E09137AC97C57B709D860F2BF390A1DFF2AB7C4E7C759141143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FC2722216DCE40440A6C3E848A0149,SHA256=E2AB9B21362D44FBDA4A4398BBC618BA2D62E2A440AF8B013C88EEB88A193F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.946{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B66CCDCF141B1A3BD136C6B69DF07682,SHA256=D98B1208CDECC4D95DAD6E854A37E658F6F9EA15A5EF5BD7A0BF12C8FC6D2BD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.711{82855F7C-59E8-6112-AE06-00000000E601}27403804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.573{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.493{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F84F64E6C921912E0235F27F11D371,SHA256=531BA32FA3BCF25304854F65D2F5EC799E720E47850A6E426240735ECF4D1C69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.102{82855F7C-59E7-6112-AD06-00000000E601}27081848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.858{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.843{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.790{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.790{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.743{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.743{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473F721AD741238FC314A56943C5BEA8,SHA256=87B8131166595104BA079BB32E5140508AA5FFD9C720ED9CA991D0B8AD6F0686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.571{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE996C5833075FBB1976FC1A3C57CD18,SHA256=E4DC67383E39C31A9E97F482E0882ACD15C2C5D02D9B72C01EAAFC04D0BC81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.188{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.126{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.126{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:50:17.123{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6944.18.59231107C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:50:17.123{82A15F94-3D8B-6112-CA04-00000000E501}6944\chrome.6944.18.59231107C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.399{82855F7C-59E9-6112-AF06-00000000E601}22162984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.972{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51544-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.197{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:18.602{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006601ECDC450EC86644F583C78492A,SHA256=E0669F005B448ECE8C0133EAA2148B827ADA84A438401CD305E3966C5C9F668D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:18.673{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8022476633900B079BD54AD5AC165,SHA256=026B5A8E7B98E18F415411FE091FEC23FD3E610A5332F221025C8530B1B14295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:18.227{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEBCB9246298CDD94418DFBB6B51E63,SHA256=85D7ACF1D7EDEFDD79A86FF38EDD15AA3403D6119E679F2959D81B3C0CF7B522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:19.633{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78887BC245BF2C12FBA8AD4280CD6B93,SHA256=C5B69D5129A6916820AC005FDEB08B0F818F4739CBA2134DDA321A29393E252C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.674{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618AE0D7EA75A5983C41D01C7013BC1C,SHA256=C8AFB21EB4505B0CB3FBE17D49038A9836800DDC0A68CCBFE1735CF1858270E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.243{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64405-false192.229.233.50-443https 354300x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.226{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57850- 354300x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.223{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64404-false104.244.43.131-443https 354300x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.214{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local59005- 354300x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.143{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local65535- 354300x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.142{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local50600- 354300x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.644{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64402-false104.244.42.193-443https 354300x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.439{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64401-false10.0.1.12-8000- 10341000x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:20.649{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CDB10C638E2519D51FEC057266022D,SHA256=B64F7F8662EF35259B693A85F04208CA2A933A75A588A69F24F32F107EC85AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1504F758F97C6EDDFA2C3307E2EFF4E0,SHA256=E904BD08C167AB39F42013AAD22BF60F3969164A0C94E96B3185C41D5F87DF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.967{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2E145DADF2DCD3D58E8C0ED650C9966,SHA256=D7BE96C88182BF2093285E92DCAD6DE82667ED67E8FFF98D58FD0E82E502FAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3C85BCB9C70CAFBA822E1D6BC105A85,SHA256=7D8B15E8608442D877F436E4C25616FF6A0753C0F488859920D54342C7C45000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C898982A0FA545588297FE55F26C26F0,SHA256=9D899DC51823C8DF43881D40BB73495142DA8D82AFA9477A4005A128A4E1DC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=356A53F152027532326C4C628AA04AA1,SHA256=A90E853BE619ED948EFF2668830810E4E18836CF89A1C92B3BBFE56BEB4042E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.883{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C837A5B6254BF3AC181381735CEC4A9,SHA256=606179C2CAFE0ABDFDBC1E5FA60B8FEA482B700231E1F642FA45573E60DF0DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B094E9FCEF5E88297F4ED0F098A8B8C,SHA256=0664FF9FF7DD66AA25537B05369E7302B30728B39609A1775A423D0F4CC90C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.824{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E85FF3392FF12248FBA3E776F962DC9C,SHA256=389B23D56C8644A97F394F6AF83AD070493EAB54D1A4E31476B61153F70983A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.704{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B63554EC096E7167CC64A33A471FE50,SHA256=E3D6CFCC2794E623CD42EDC582285189FB262989B7CF2168A86F878130D0763A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:21.727{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF787026F5A03F9BBDF2ED7099D17430,SHA256=FDBA688BE2DF3DA6BCF0974FFF6AF4E61A9D19F17828524561BAE038C892E9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.799{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EFDE8790E26D9D562DD2381A559971,SHA256=9A1F62B0FD7F63E2772B4ED6E5BA07F5218F26C5032735138601845F099949D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e1) 13241300x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{49dcdfda-5f3f-4de0-9a45-6ee94382bda9}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2330|Name=New RDP Port 2330| 10341000x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236908C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+dbc2|c:\windows\system32\mpssvc.dll+3014e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=626E5FCFB2A88459BFE0A79BD6E9489B,SHA256=EE91FF9745B1C4C9A71B8304EE2A1837EAC763834FA2AB6C82B929C76E200B7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.384{82A15F94-3494-6112-1600-00000000E501}12884316C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+a8874|C:\Windows\system32\wbem\wbemcore.dll+634f0|C:\Windows\system32\wbem\wbemcore.dll+f474|C:\Windows\system32\wbem\wbemcore.dll+b6f1e|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.366{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.366{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3491-6112-0B00-00000000E501}6326204C:\Windows\system32\lsass.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.331{82A15F94-3494-6112-1400-00000000E501}968172C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.230{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9E32AFCC589793336B4C1E24DB775A3,SHA256=70CE659F196108FA0801AE935B952AEE8907249010891576EC6D24434713A540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.230{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DB3E24E62550D6D1273545C256465E0,SHA256=57B0F3B9612982D4757BCDAB7EBEE9CC97ACD5ED8C54E89081CB28283F862764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.215{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BF4F542BD2B1735BEA014662BCA0F91,SHA256=39BD5433F6A1E83F0532F79211D517347A4F61FE0E2FB84F323FFFBA615504CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AF3F40D80049993AA80EFFF1A5E24E3,SHA256=181C9F10FDF006C56D537AF5CE6F00EF7AC0EA72558B4097B663537F1123B3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.168{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F127BC971E7620ACBC7F1D87B8D1A3B,SHA256=2577D9D4AFF59935863DFD7793BE341174C07123AA313822FC3CA395D5CB10B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.168{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=433D8DE7B15E8E44E351219B17998505,SHA256=142E0BB7B08264F58CC3202E0ECB346CFF0A11BF1EAE8244503A5FC7728EC77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.114{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38EAE5E442CFA07E12FCD37CF722635C,SHA256=A0718C4773406B16F3F62BE62053EA81555F86A8EC7B89DE8942E3BF9CB8290B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.099{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8EC224C65CA32C5CC28B53093A4D1A6E,SHA256=3FF71A1FB00923480AFB847E04D7B7A4404C53B87B87450662AF36F9ADA22E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F1888545E15EB463ED12133799B9684,SHA256=05589CF97DB71D613F63BF3AD7EB5D065E2E26B3F806031355D7421807EAF7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3CD55D213C6A10925497B18B7E4B7D,SHA256=138663FDE2CB816154E39F46D68D125CBF73DDBC4FEC05D99A23411AEF4FFF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:22.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32EE015F39D8F00832CF0A1DB9BDBFD,SHA256=53FF1C12589BAEE922C1F61DD47D50B3122C51E63150360830BCA5CB4AE1054B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:19.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.599{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B08D4DAA665EAEDF3E02116FE103DD26,SHA256=F7FFC44832B9DF224FDDAE36D9EB215129EA989EF57092DCC4F4A5F570DBDE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65459C9D564697FF84DBA68E4B91CA43,SHA256=B0F3938D4341A08B8DD4AEA6D571BB5206576F0C8EC6A09C2C6A0A9BCF81EB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBCE76450A1D41A6A854130DA2D6EAB,SHA256=D79E46FE3F50CD1BC32701F49490A3C4BF97FF0236176BB2D9591176AB95F034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:23.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54921DB62D53BD12136400D342CE275,SHA256=CE17097E00DE44EE0359C5BE8AABC06AAAC361A1A13648B1C77303D5159AC3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:23.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749540CD3CD771A0102F6EA7E247CA28,SHA256=E700E8FC9EEBBD2E64F3903FEADFF13F955F9702E8BD7C2B87CE161174DD5624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:24.844{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DE2F7E2A78C9297F393BEA1962F078,SHA256=4D17803C8BB5FC5E842491692546C9227D12E3FAD2E368D2F2E9F8EB7E5B1B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:24.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBDD8302937F202276218E1ABD88616,SHA256=3E5F84D352AA861114A862C11A0921F74A611C5E8F369FAAF6A40799AE477C73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.600{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64406-false10.0.1.12-8000- 23542300x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:25.861{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9A1403B270820910A03A43FC5B8DAC,SHA256=97A2EEEA6968111F33778C3382F8DFB97C2533B8B52BF8E9E03E08937791F31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:25.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98524D8895745E244CE72078F565C3C,SHA256=A08ED341292F4FC570823EB65CC189FCC6F21F51BBA636178BD9921740EB3BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:26.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3286BA4176F543C497841B95CF48E3B1,SHA256=E928B8D72DD219404CF431C1BCB30A577D6689AF49335E93B66C9C1F3330FFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:26.879{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CBFE8301DA7B6E555BAA7B54FC744C,SHA256=C436B0E9B61B8461685350CF87F0005010ECA83AA599040C77F9399BCDA0B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:27.930{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E3CC8B052D195B35AED98C356E53D4,SHA256=CC57BCAB295D6E47C3B18A145F22AAF0CA5F7E8A29597EE39836167CC7889CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:27.910{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4728FE4D9FE13F1494FBB786AD5E7DE9,SHA256=4BF48541E7B699795E9A3B45EE24C6943EFBDEEC25E2FED5A535B306EF0EBFD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:25.925{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:28.935{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92C2A617D36A0B86DCD62EC53F86366,SHA256=B40969EADB033E7813981794E0F8501736D3B4F10EFD37ECF53ADEADDA02FC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:28.911{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE52E639EB1A9BD2E59A5886FF570CA,SHA256=202F615404A69D0F42116D60EA0909AA4FF283BE4F91709583AC75CA34E3F80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:29.926{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1633957A35B30483E1D73F295FD4DFA5,SHA256=E6DC4D46C21A4D2E6ADDD839E5511612CAFEBFE9CBBAD7C612F847529F313844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:30.942{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95488E6D34E084813EB82C3A738C5711,SHA256=23FCF72DD910B5470D60921C3D978D59750C7D141181D7A56FF9A44DB3FDB6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:30.013{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B8A0077A0856734587ACBC93F0EC93,SHA256=CCB46D8AEA0283FDD4C352741AF5B31E2B22382425466619A7CC3FAE8C43DFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:27.529{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64407-false10.0.1.12-8000- 23542300x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:31.044{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC5B4209D9A8426738E2BEEBD245124,SHA256=9D7ECC69B509D934988501B98D7AFC76F9DA1630E3EDD81B8E527A42BCFAB60E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:30.961{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:32.138{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E9549A1520EE9B58340932BEBDBD6,SHA256=2685A226622DE1F7DE5ED4CAC7B561AEEF48287228EA20A50CDBD9EE0C8B24E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB002C1788C89DB8D2842681B4313602,SHA256=CFB349F9FFBAD6C2EA122428BF2467D57AC70F6133EE2BA53C015695C2A08A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65459C9D564697FF84DBA68E4B91CA43,SHA256=B0F3938D4341A08B8DD4AEA6D571BB5206576F0C8EC6A09C2C6A0A9BCF81EB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.778{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.026{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385A1BBFD701B7D52BEDCC2F2D58DF,SHA256=0086BABEFCF74744CA342C0C61170479EA23DB80ACA75F3AFBB14BEAF1038288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:33.154{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B54BB2CC3EB17BAAA492D4E56A25987,SHA256=01F9B7590B7F4190D96D23B8FE0B19EF3F7BEC3C0C85AC9F4C9703B78EC17723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.577{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:31.392{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64408-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:31.392{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64408-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B16DA19DB2491A304431CDF5E8668C,SHA256=B7A2191DF508E536FFE265FDB432B6EC3AAA4C70DD81FFF9C09BAD703A4E01EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:34.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E380C30F439D214787994895A6620E4E,SHA256=CFD9AAA5661D1D67523C16EBEB0D81F63140C6E8478CFC22B76EB1DC54040D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:34.059{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8887CBD2DDEBBE1A02F47B3D2B78F16,SHA256=E4663BCA1AB00568539B51FB026736CA8E682D2CBA46045C65E94BB1F282DE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:35.216{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE119DC0A52513E53C2622378F00F5D5,SHA256=381CDE07108C1E8CD4A3EC171059D39BFFFC896BE204B7E471545892C4904C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4FC837202165CCD4B5F67D4F4BA04F94,SHA256=21908AD7A92F2A14BBDBD74F778B3AE4F54E9AD0F4BF172D330E6E6D617E4409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=597560EBD2CFEF600A3152477A5EA7AD,SHA256=26FF454367ABD830A1C2A41D78E96410FEE1CAE2C226EF23F348C43EE4C94657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=CF09B80BEAE606E78FDA3BF3A8C7F275,SHA256=36D6A6844BA8EC296E34D95DC874BB8F1F4C3AB389A090D9E1E465A06A520DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2811E2EB41F3C8F80C10AC06DD6ADBC0,SHA256=A55D5DBA7F55F6F184499493784FCFEA76D16B54368560708E31BF2B6EEFE283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2D4DE304F21D36EFA5ACFD62F514DF40,SHA256=3BCBAF47CF9ABEA808C2F0774900F688877F6BC5059BD64593ABE8E58F9F188F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6513438630523B3CD7548B61D4359CF2,SHA256=24B06D9FF28E23EACC7F36C4D9B8996B475EF3FE398178AE15852BCA776291B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=7E5B74949EA4F0ADBEAA1DC4B0AF8377,SHA256=4B195361A1D7F04A81AF4F722F5C4DD0AD13E6F2950DC496EBDEE1D28DD37D28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.544{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64410-false10.0.1.12-8000- 354300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.991{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64409-false10.0.1.12-8089- 23542300x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.092{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56C27BD01753BD4459E588571A49B01,SHA256=E3BCDBD81B196C0CF6AC0FDF554B439A543B65E1461F25A1D7C6947ADB5D783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:36.248{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E16705B64E379892C0B267130C18F,SHA256=EAD40B51657BA44A9115C0E1CCF585AA0ED71A8047AA6A6F31F8D9D7351AD7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:36.106{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6E9AA6D08ACB48AA3E0EF9DD1336ED,SHA256=68C41D977A5C8A6C64E6248B76586FA46A4D0719123248763440BBE42A3E7CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:37.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54887912AD764817D124F53761B91012,SHA256=CCBB4B36BE9744DFCB68BAA29F375742B6F4FC4A1933E20B68C3333A400AB0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:37.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A27B48EDA3741DECFB724D1A81B1CF,SHA256=5F6AAA8A64CDDE5ABC8ECF7388F66BC51DDCEDA8512E51B89FFA280C17372B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:38.294{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB218C6FC126E057C7AD7D91DA5774A4,SHA256=35B54B684F6EA9DD0A32124260EB448A26CB7876A25D52588BA7F8C70A4D0DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:38.122{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5497D7F662686EF7942D75FD43BA8721,SHA256=CDD686E29F35CD61BC1F9B4B350541CD6C60A83B9F14BEA43AA96B66F8D5BB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:36.023{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:39.373{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66271CAD0B34361815CEED71A4E9A788,SHA256=7F5F7D2C3510C792B3DE97B4515827EDD427D21A435A4E44731D2DA8D742CA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:39.136{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB19E9929AAEE34D9A186768F224045,SHA256=6635CDC27D6A52BC93A389D2B2D1DB4259D4BF6D101EE53B6EA068FB6F399353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:40.388{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089E6A1C57DC3C28A6DE6C944E7E8F2A,SHA256=697A4687052561455E14D9B3D6DDB813C1D073DA012A426C7640C9ED425FB509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:40.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1891C29EEC854704D317BF69AE6FC2,SHA256=FC315A1E892F11AE0775B50E0FB9EF65FEA57FE6B52ED403724C954D431742A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:41.404{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF604BD9CAC9AC38D74898BAB6F2532A,SHA256=4C03206991DD766BE5A9BAA78A941C826FC9EF7F616D2BC1DFF2060686F9F48B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:39.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64411-false10.0.1.12-8000- 23542300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:41.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAB05692471F7AAB35A678809A84CC8,SHA256=6EDC9219AD5867DC0B69E01B6EB72957CEDF31B13246EB85E7CD984C25977AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:42.419{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6344E4386DAA58472BD6ABFE3028669,SHA256=D438840BAFECF9296C4AAC90A21EFBBC3301D3A4F4C908C9D6AFC2FC9335179F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:42.204{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94CAF76E12778F3E4C96DFD4820D34E,SHA256=11D23B455A7A5B7B7A8ECC197CA586D4B3A5348773A8C327377F5C58D42BA13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:43.435{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3103FE87DAAE13FC169143D8EDB20C,SHA256=04BD125F0F8EE2C6DADBF78F073CBD70FCE49618FEA9304F8D8DB2283EE5698F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:43.252{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE8AA30CA233901F12E75504DDF9E5D,SHA256=2C9FBC01660DD94420137CC958225A2BB9EECE8DADD9D0BFF9A3D1C8464FA787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:44.451{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385ADBDB96F119EF4703F2153D76A8EB,SHA256=EC170BEF19F2577EA983BDF26EE4F4251238334B44EDC0B6D142525E85044BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:44.271{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE50FFC80AA0A6E5F75DA02AEB9F306,SHA256=1B102ED115216DB1C92E299BB9ACA04B3160C1726CF8D6A88995DD8385AEFD93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:41.836{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51549-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:45.452{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50386BF04C1C410910E558C9BC2BC033,SHA256=C4CD2904638F30E92B62A1A938994995BE4C79ABDAF5BAA11220D35DAFC9C80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:45.302{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7568C1A7C1FA0615F73C803BFBE87D,SHA256=A26CF884D5352C6C020EEB0FE9076F7BB6B65D18350EBF0EA04A0D87E2E1F080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:46.318{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1579C3D63DD652303744FBB664A4BE,SHA256=A2ADAA0C441924C91715B0B370C47384A3C1581892238036791E974729B9FEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:46.471{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9868FBE2AC676BD92B303D7089628B5C,SHA256=E858E9793B6BA2FD4FE640853EE37FD7B5DEF41D874E2130B0C194F0DE98EADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:47.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F89F6AB074A9ADF07A681CEFEB156C,SHA256=4F758C2B4AD5BED1D9A031A143606B5604E9DFBB24CBED8F8665AA5BC80EDC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:47.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5311A8B63037B81DC6C50FB0BD72162A,SHA256=96D1F17A7EB1F6F2B3C10753D0A4060E9B04A64D74076C5A03363E259CA05EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:44.637{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64412-false10.0.1.12-8000- 23542300x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:48.529{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8A5F2CCBC9AA5A972F9722651CBE76,SHA256=72C9E1683389349B9C1949DB8CC8BC9F00E30DCBCC7C056ADD477F996A327260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:48.370{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DD9FB738E23BD6C5FD5ED4AC0FB98F,SHA256=0C09DE0543BCE9855172191CC4C2531E82BFD99B198F4B6286957DF4F17EB5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:49.562{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E573142B47E5CCEA266FFA1F45E696,SHA256=F855875B7A690CB0D34CBF461C82E68FA995B4EC13D3188F52B22F7079FDD8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:49.386{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7393DCBD7C8917057140412170E3D5C2,SHA256=6327AB7DF34761902AE5DC8F5C6D9F9243447ACAF875E48E6BB6C669A49541E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:47.037{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:50.577{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE8F50D8B80E73104F506A147544C7,SHA256=C4255C60139BD962116E52FC1C297BFD135ED83346A62478BFE75E94978410B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCAEA85FACBDAE0965C4884024225BA,SHA256=5D429C1862131C4B773D1035C24D6C0BE01A25FA3CB6745DEE2450CD8D2CFDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF926db7.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_72a46034-0694-4bbf-811d-18401756159a_Untitled2.ps12021-08-10 10:50:50.186 11241100x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps12021-08-10 08:52:49.598 23542300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps1MD5=D184347490C1D817E7F1FCC641863924,SHA256=C871A3D5D4DD6556C7D6F532FD313023B15DB2B858AED8F5AAAEBF683E3A4E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:51.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE3520188BB36EF85C2F0AB721E4B70,SHA256=3ACFCA1BC62D077E721ECE3D62006C61ACBD261F7B02BA68BDDB3C5EEF09173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:51.593{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6816F08E2967874E05CC0D1CE1BB8,SHA256=4DB810FCE31A8CF7DE0EA8DED509C81DF508A3ED2ADCD5FD02D11B5BDF76A11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:52.486{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7301169101D6FC3D18FE0CE3CBB0E7,SHA256=C1CADB5DF2912A20CAF1CB8C8996C96CF3740045C45F32B1A51604CCD07DD868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:52.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62712A0C5CD551A603B0695B593EE945,SHA256=F43472EADF42559F590AF234CA604DDA698EE0DE9439A0042E421E1E1E21EB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:53.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917C1D41A8BCF96184BB00F36B3C51CE,SHA256=CC4BD51D6A92988FEF3181E14413D9C5F09A391A859774CA41B193A967D70D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:53.517{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFCF6B67958F98F72AEC3970278E7F8,SHA256=8BBDEA0E24E77A6357041A265AD67E35779B9B7DC5FEB6F443614E3CE41BF5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.621{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64413-false10.0.1.12-8000- 354300x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:52.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:54.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A59EDCF6521170DBEF74B706451433,SHA256=EB5529D0FED56167324B92FF08FF4990E1037C6D9EC781D3841B164642F8C654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:54.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA72B51030E6FCC15C53101B3F339FD,SHA256=93C30D362B16957D428B255903E38A20F32B1679A4A60224BA4978631D259ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:55.671{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe